how to prevent ./*

Todd C. Miller Todd.Miller at
Wed Nov 12 16:16:58 EST 2003

Matching is done based on the inode and device numbers.  Therefore,
if a user is allowed to run /bin/ls, "cd /bin ; sudo ./ls" will
also work (since it is the same binary).  This is done to prevent
problems with NFS automounters.  That doesn't mean that (in this
exmaple), "sudo ./ls" will work for _any_ "./ls" (unless you allow
the user to run ALL).

What are you really trying to prevent?  If you want to allow a user
to run anything but certain commands you are really going about it
the wrong way since there will always be a away around the restrictions
you impose (--infinity is still infinity).  You would be much better
off enumerating the commands you want the user to be able to run.

 - todd

More information about the sudo-users mailing list