If I have in my sudoers file the line

Cmnd_Alias	TOOLS = /usr/local/*

Does it means that all directories below /usr/local will be included ?

Example: I need an user to execute commands in /usr/local/bin and
/usr/local/sbin but I DO NOT want to add both directories to sudoers, I
would like to add only /usr/local/*. Will it work ?

> I suppose sudo could tee stdin/out/err to a file.  Can that be
> defeated?

Probably.  You can do the equivalen of dup(2) in the shell.
The real way to do this is to intercept execve(2) and do the
sudo checks there but that requires using ptrace(2) which
a) I've never used and b) which seems OS-specific.

It's something I'd like to look into some day but not right now...

 - todd

