restricting command arguments?
Ofer Inbar
cos at permabit.com
Tue Mar 4 16:07:05 EST 2003
I'd like to allow people to run a particular command with no password,
and exactly two arguments, the second one of which is partly arbitrary.
But I do not want to allow them to add any more arguments. For example,
I want to allow "cmd -opt /foo/file",
but not allow "cmd -opt /foo/file /other/path"
or "cmd -opt /foo/file -opt2"
I can have a rule like this:
ALL SHARED = NOPASSWD: /bin/cmd -opt /foo/*
But that allows people to add arbitrarily many extra arguments after.
I've looked through the man page and don't see anything helpful about
this, but it seems very strange to me that sudo would allow you to
restrict arguments with wildcards, but *not* allow you to prevent
people from adding extra arguments.
I searched the list archives and found this, which looks related:
http://www.sudo.ws/mailman/htdig/sudo-users/2001-May/001529.html
There weren't any followups, though, and that poster's email address
now bounces.
--
-- Cos (Ofer Inbar) -- cos at aaaaa.org 781-273-2380
-- Permabit, Inc. -- cos at permabit.com 617-252-9600
More information about the sudo-users
mailing list