restricted chmod

[Emil Isberg]

On Mon, 20 Mar 2000, Smith, Kevin (CAP, GCF) wrote:
>Does any one know if :
>!/bin/chmod 4*** * is a valid NOT entry for the sudoers file?
>If not, has anyone managed to trap a certain chmod permission octal??

I think there are quite a few questions of the same kind, and the answer
to those questions are quite simple: No, you can't do that.

The understanding are a little bit harder as it demands some explaining
about the way sudo gives permissions via sudoers.

If you in sudoers give permission for a user to use a program but don't
want the user to use a certain combination of arguments to that program
you loose. But if you give permission for a user to use a program with a
certain combination of arguments they will not be able to run any other
argument before those.

But as most program can handle the arguments "the other way 'round" you
will loose again.

The ONLY way to be some certain are if you use a wrapperprogram and give
sudopermissions to that instead of the program in question.

Though there is one other way to solve the problem and that is to make the
users into real systemadministrators and give them full rights (and
responsibility).

-- 
Rune's Rule:
	If you don't care where you are, you ain't lost.