how to prevent ./*

Todd C. Miller Todd.Miller at courtesan.com
Wed Nov 12 16:22:44 EST 2003


First of all, your '!' entry will only match "cp /etc/shadow", not
"cp /etc/shadow somewhere_else".  You could fix that by:

    test ALL = /usr/bin/cp, !/usr/bin/cp /etc/shadow*

But this is trivial to defeat by:

    cp -f /etc/shadow $HOME

There's just no easy way to do what you want--there are too many
ways to work around it (think symlinks).

 - todd


More information about the sudo-users mailing list