how to prevent ./*

Howard Owen hbo at egbok.com
Wed Nov 12 11:19:32 EST 2003


>From sudoers(5):

	A Cmnd_List is a list of one or more commandnames, directories,
	and other aliases.  A commandname is a fully qualified filename 
	which may include shell-style wildcards ..

So neither the plain command name, nor ./name are permitted, since they
are not fully qualified.

If you want to prevent a user from running /bin/ls, for example, you
can specify the full path. But as you note the user can simply copy the
executable somewhere else and run that. Since you can specify shell
"glob" expressions, you could do this:

	test2   ALL=(ALL)       ALL,!/ls,!/*/ls,!/*/*/ls

And so on down to the limit of your filesystem's nested directories.
Note however that they could name the file 'foo' and get around any such
restrictions.

On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote:
> Thanks, however, sudoers' syntax won't let me do that.
> 
> 
> >From: "Ladner, Eric (Eric.Ladner)" <Eric.Ladner at chevrontexaco.com>
> >To: "Martin Vazquez" <mtrash1 at hotmail.com>, shadhanker at gmx.net,   
> >sudo-users at sudo.ws
> >Subject: RE: how to prevent ./*
> >Date: Wed, 12 Nov 2003 08:08:44 -0600
> >
> >
> >How about just !XX?
> >
> >-----Original Message-----
> >From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On
> >Behalf Of Martin Vazquez
> >Sent: Wednesday, November 12, 2003 6:31 AM
> >To: shadhanker at gmx.net; sudo-users at sudo.ws
> >Subject: Re: how to prevent ./*
> >
> >
> >
> >Hi Rahul,
> >
> >Thank you very much for your answer.
> >Unfortunately, I did not express myself correctly in my initial mail.
> >When I
> >configure !/usr/bin/XX, then the users are still alowed to do sudo ./XX,
> >
> >because ./does not match with /usr/bin.
> >
> >Any further idea?
> >
> >Thanks again
> >
> >Martin
> >
> > >From: "Rahul" <shadhanker at gmx.net>
> > >To: "Martin Vazquez" <mtrash1 at hotmail.com>,<sudo-users at sudo.ws>
> > >Subject: Re: how to prevent ./*
> > >Date: Wed, 12 Nov 2003 14:41:58 +0530
> > >
> > >Hello Martin,
> > >
> > >You can configure sudoers files with "!/usr/bin/XX
> > >But make sure that the user(whose in the sudoers file) are using $ sudo
> >
> > >./XX  [or] $ sudo /usr/bin/XX
> > >
> > >NOT just
> > >
> > >$./XX or
> > >$/usr/bin/XX
> > >
> > >Hope this helps and let me how it works.
> > >
> > >Thanks and Regards,
> > >-sadha
> > >
> > >
> > > > Can anyone tell me how to configure sudoers in order to prevent
> > > > someone
> > >from
> > > > doing ./* ?
> > > > I am trying to prevent someone from executing a command XX, so I
> > >configured
> > > >
> > > > !/usr/bin/XX
> > > >
> > > > but still that user can go and do cd /usr/bin, ./XX.
> > > >
> > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error.
> > > >
> > > > Can anyone tell how to do it?
> > > >
> > > > By the way, is it possible to include subdirectories when putting
> > >wildcards?
> > > > For instance, I would like !/usr/* to prevent from doing everything
> > >under
> > > > /usr, including subdirectories. Any idea?
> > > >
> > > > Thanks a lot
> > > >
> > > > Martin
> > > >
> > > > _________________________________________________________________
> > > > Protect your PC - get McAfee.com VirusScan Online
> > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > > >
> > > > ____________________________________________________________
> > > > sudo-users mailing list <sudo-users at sudo.ws>
> > > > For list information, options, or to unsubscribe, visit:
> > > > http://www.sudo.ws/mailman/listinfo/sudo-users
> > > >
> > >
> > >
> > >---
> > >Outgoing mail is certified Virus Free.
> > >Checked by AVG anti-virus system (http://www.grisoft.com).
> > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003
> > >
> >
> >_________________________________________________________________
> >Great deals on high-speed Internet access as low as $26.95.
> >https://broadband.msn.com (Prices may vary by service area.)
> >
> >____________________________________________________________
> >sudo-users mailing list <sudo-users at sudo.ws>
> >For list information, options, or to unsubscribe, visit:
> >http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> >
> 
> _________________________________________________________________
> Is your computer infected with a virus?  Find out with a FREE computer virus 
> scan from McAfee.  Take the FreeScan now! 
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> 
> ____________________________________________________________ 
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users



More information about the sudo-users mailing list