limiting commands to directories

Matthew Hannigan mlh at
Thu Aug 29 10:03:34 EDT 2002

Saxon, Lamar wrote:
> Can't you simply create a command alias like:
> Cmnd_Alias      CHMOD=/usr/bin/chown userid /local/develop/*
> Seems to work fine in my environment...
> Lamar

No good.  The user can do:

sudo chown me /local/develop/../../../../../../etc/passwd

and then become root after s/he edits the passwd file.

The * doesn't match a / in the command, but it matches
anything in the command's args.

Bottom line, do not rely on pattern matching in sudoers.

Use wrapper scripts!


PS another pitfall:

EVEN if the pattern matching did not match a /, I can become
root if I can write to /local/develop: I can create a symlink:

     ln -s /etc/passwd /local/develop/mylink

and then chown mylink, which chowns /etc/passwd, not the link.

You need to force use of the -h flag on chown to prevent this one.

More information about the sudo-users mailing list