how to prevent ./*

Martin Vazquez mtrash1 at hotmail.com
Wed Nov 12 12:20:50 EST 2003 

I completely agree. But if I want someone to be able to execute 1000 comands 
located under some directory, and prevent him from doing just one command in 
the same directory, the only way to do it is writing the 1000 commands one 
by one in sudoers. it shouldn't be like that.

thanks



>From: "Ladner, Eric (Eric.Ladner)" <Eric.Ladner at chevrontexaco.com>
>To: "Howard Owen" <hbo at egbok.com>, "Martin Vazquez" <mtrash1 at hotmail.com>
>CC: shadhanker at gmx.net, sudo-users at sudo.ws
>Subject: RE: how to prevent ./*
>Date: Wed, 12 Nov 2003 11:00:36 -0600
>
>
>IMO, it's much easier to specify scopes of what they CAN use and
>restrict them to that.  Like Howard said, and extrapolating that to a
>general statement:  If you specify something that somebody CAN'T do,
>there's 1001 ways around that.  If they only have a short list of what
>they can do, it's easier to manage.
>
>Eric
>
>-----Original Message-----
>From: Howard Owen [mailto:hbo at egbok.com]
>Sent: Wednesday, November 12, 2003 10:20 AM
>To: Martin Vazquez
>Cc: Ladner, Eric (Eric.Ladner); shadhanker at gmx.net; sudo-users at sudo.ws
>Subject: RE: how to prevent ./*
>
>
> >From sudoers(5):
>
>	A Cmnd_List is a list of one or more commandnames, directories,
>	and other aliases.  A commandname is a fully qualified filename
>	which may include shell-style wildcards ..
>
>So neither the plain command name, nor ./name are permitted, since they
>are not fully qualified.
>
>If you want to prevent a user from running /bin/ls, for example, you can
>specify the full path. But as you note the user can simply copy the
>executable somewhere else and run that. Since you can specify shell
>"glob" expressions, you could do this:
>
>	test2   ALL=(ALL)       ALL,!/ls,!/*/ls,!/*/*/ls
>
>And so on down to the limit of your filesystem's nested directories.
>Note however that they could name the file 'foo' and get around any such
>restrictions.
>
>On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote:
> > Thanks, however, sudoers' syntax won't let me do that.
> >
> >
> > >From: "Ladner, Eric (Eric.Ladner)" <Eric.Ladner at chevrontexaco.com>
> > >To: "Martin Vazquez" <mtrash1 at hotmail.com>, shadhanker at gmx.net,
> > >sudo-users at sudo.ws
> > >Subject: RE: how to prevent ./*
> > >Date: Wed, 12 Nov 2003 08:08:44 -0600
> > >
> > >
> > >How about just !XX?
> > >
> > >-----Original Message-----
> > >From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws]
> > >On Behalf Of Martin Vazquez
> > >Sent: Wednesday, November 12, 2003 6:31 AM
> > >To: shadhanker at gmx.net; sudo-users at sudo.ws
> > >Subject: Re: how to prevent ./*
> > >
> > >
> > >
> > >Hi Rahul,
> > >
> > >Thank you very much for your answer.
> > >Unfortunately, I did not express myself correctly in my initial mail.
>
> > >When I configure !/usr/bin/XX, then the users are still alowed to do
> > >sudo ./XX,
> > >
> > >because ./does not match with /usr/bin.
> > >
> > >Any further idea?
> > >
> > >Thanks again
> > >
> > >Martin
> > >
> > > >From: "Rahul" <shadhanker at gmx.net>
> > > >To: "Martin Vazquez" <mtrash1 at hotmail.com>,<sudo-users at sudo.ws>
> > > >Subject: Re: how to prevent ./*
> > > >Date: Wed, 12 Nov 2003 14:41:58 +0530
> > > >
> > > >Hello Martin,
> > > >
> > > >You can configure sudoers files with "!/usr/bin/XX
> > > >But make sure that the user(whose in the sudoers file) are using $
> > > >sudo
> > >
> > > >./XX  [or] $ sudo /usr/bin/XX
> > > >
> > > >NOT just
> > > >
> > > >$./XX or
> > > >$/usr/bin/XX
> > > >
> > > >Hope this helps and let me how it works.
> > > >
> > > >Thanks and Regards,
> > > >-sadha
> > > >
> > > >
> > > > > Can anyone tell me how to configure sudoers in order to prevent
> > > > > someone
> > > >from
> > > > > doing ./* ?
> > > > > I am trying to prevent someone from executing a command XX, so I
> > > >configured
> > > > >
> > > > > !/usr/bin/XX
> > > > >
> > > > > but still that user can go and do cd /usr/bin, ./XX.
> > > > >
> > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error.
> > > > >
> > > > > Can anyone tell how to do it?
> > > > >
> > > > > By the way, is it possible to include subdirectories when
> > > > > putting
> > > >wildcards?
> > > > > For instance, I would like !/usr/* to prevent from doing
> > > > > everything
> > > >under
> > > > > /usr, including subdirectories. Any idea?
> > > > >
> > > > > Thanks a lot
> > > > >
> > > > > Martin
> > > > >
> > > > > ________________________________________________________________
> > > > > _
> > > > > Protect your PC - get McAfee.com VirusScan Online
> > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > > > >
> > > > > ____________________________________________________________
> > > > > sudo-users mailing list <sudo-users at sudo.ws>
> > > > > For list information, options, or to unsubscribe, visit:
> > > > > http://www.sudo.ws/mailman/listinfo/sudo-users
> > > > >
> > > >
> > > >
> > > >---
> > > >Outgoing mail is certified Virus Free.
> > > >Checked by AVG anti-virus system (http://www.grisoft.com).
> > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003
> > > >
> > >
> > >_________________________________________________________________
> > >Great deals on high-speed Internet access as low as $26.95.
> > >https://broadband.msn.com (Prices may vary by service area.)
> > >
> > >____________________________________________________________
> > >sudo-users mailing list <sudo-users at sudo.ws>
> > >For list information, options, or to unsubscribe, visit:
> > >http://www.sudo.ws/mailman/listinfo/sudo-users
> > >
> > >
> >
> > _________________________________________________________________
> > Is your computer infected with a virus?  Find out with a FREE computer
>
> > virus
> > scan from McAfee.  Take the FreeScan now!
> > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
>
>
>

_________________________________________________________________
Send a QuickGreet with MSN Messenger 
http://www.msnmessenger-download.com/tracking/cdp_games

More information about the sudo-users mailing list