Hiding sudo from sudo users

Emil Isberg emil.isberg at mds.mdh.se
Tue Jun 13 16:59:45 EDT 2000

On Tue, 13 Jun 2000 zahst at act.org wrote:
>     I was wondering if there was a way to allow users to run sudo commands 
>     without typing sudo <command> and just type the command instead.  I 
>     know it sounds crazy, but here's why.

Simply put: No.
But there are ways to solve the issue:
* Build a patched shell that runs "sudo command args" if command is in the
    /usr/etc directory and give that shell the the user.
* Make aliases or functions that simply does "sudo command args":
   (cd /usr/etc;for i in *
    do echo "$i" '() { sudo /usr/etc/"$i" "$@"; }';done)
* Make one shellscript (or binary program) that calls sudo with it's
    _name_ (argv[0]) with /usr/etc prepended and the rest of the args
    untouched. And make a link for each of the programs in /usr/etc to
    this program.
    (cd /usr/etc;for i in *
     do (cd /home/of/user/bin;ln myprog "$i";);done)

>     I need to allow anyone logged in as user techsupp to be able to run 
>     commands in the /usr/etc directory.  Currently they are allowed to run 
>     a restart command on another machine, but they don't type sudo 
>     restart.  A script was setup that when they type restart, it calls the 
>     /usr/local/bin/sudo then the path to the restart command.  The reason 
>     for this is security, we don't want them knowing they are accessing 
>     things any differently than normal.

I would recommend that you inform your users that they do run sudo...
There is no security issues in withholding information.
(The informations will get out in one way or another: what if the user
runs ps as they run the program??)
I would simply say that those cryptoprotocol that are published are more
secure (by fact) than those nonpublished.

Hell hath no fury like a bureaucrat scorned.
		-- Milton Friedman

More information about the sudo-users mailing list