restricting command arguments?

mlh at mlh at
Tue Mar 4 19:51:25 EST 2003

On Tue, Mar 04, 2003 at 04:07:05PM -0500, Ofer Inbar wrote:
> I'd like to allow people to run a particular command with no password,
> and exactly two arguments, the second one of which is partly arbitrary.
> But I do not want to allow them to add any more arguments.  For example,
>  I want to allow "cmd -opt /foo/file",
>  but not allow "cmd -opt /foo/file /other/path"
>  or "cmd -opt /foo/file -opt2"
> I can have a rule like this:
>   ALL SHARED = NOPASSWD: /bin/cmd -opt /foo/*
> But that allows people to add arbitrarily many extra arguments after.
> I've looked through the man page and don't see anything helpful about

Did you read this?

Read "man fnmatch" for more info.

In brief, I don't think you can do what you want to do.

I had thought you could use a pattern like [a-zA-Z]* instead,
but that just doesn't work like regular expressions.
fnmatch is appropriate for filename matching (as the name suggests)
but isn't so useful for arg matching.

It might not be so difficult to add real RE/ERE/PCRE matching
to sudo. (but I'm not volunteering :-)

PS. Philosophically, it is important to see sudo as an enabler not
a restricter.  It is common to see misunderstandings when people
try to restrict with sudo itself.

More information about the sudo-users mailing list