restricting command arguments?

Ofer Inbar cos at
Tue Mar 4 16:07:05 EST 2003

I'd like to allow people to run a particular command with no password,
and exactly two arguments, the second one of which is partly arbitrary.
But I do not want to allow them to add any more arguments.  For example,
 I want to allow "cmd -opt /foo/file",
 but not allow "cmd -opt /foo/file /other/path"
 or "cmd -opt /foo/file -opt2"

I can have a rule like this:
  ALL SHARED = NOPASSWD: /bin/cmd -opt /foo/*

But that allows people to add arbitrarily many extra arguments after.
I've looked through the man page and don't see anything helpful about
this, but it seems very strange to me that sudo would allow you to
restrict arguments with wildcards, but *not* allow you to prevent
people from adding extra arguments.

I searched the list archives and found this, which looks related:
There weren't any followups, though, and that poster's email address
now bounces.

  --  Cos (Ofer Inbar)  --     cos at  781-273-2380
  --  Permabit, Inc.    --  cos at  617-252-9600

More information about the sudo-users mailing list