[sudo-users] (Hopefully) quick policy question
Jore
community at thoughtmaybe.com
Tue Sep 26 08:32:43 MDT 2023
Hi there,
On a default Ubuntu 22.04.2 LTS server, with sudo version 1.9.9, I'd
like to allow the user called 'test' to run root's acme.sh certificate
manager bash script in a safe way, and only to issue new domain
certificates, like so:
sudo bash /root/acme.sh/acme.sh --issue --domain
some-new-domain.example.com --webroot /some/path/ssl/
So I'm thinking something like this for /etc/sudoers.d/test:
test ALL = NOPASSWD: /usr/bin/bash /root/acme.sh/acme.sh --issue
--domain * --webroot /some/path/ssl/
But that's not "safe" right?
I mean, is there a way to tighten that up with regex for instance,
instead of the * glob?
I did a bit of reading on this here:
https://stackoverflow.com/questions/10306690/
But then I also note sudo 1.9.9 doesn't support regex? In that case...
what might be some suggestions to do this sort of thing sensibly? ;)
Thanks,
Jore
More information about the sudo-users
mailing list