escaping * in sudoers

[Aaron Spangler]

If you feel like you are giving them too much access, you can have them run an 
intelligent script that helps protect them.  Then you can give them access to 
that script instead of rm itself.

In sudo its really easy to add command lines (even with parameters).  But it 
seems almost impossible to give (all but) a specific command or option 
because of the way that the options can be orderd.

I wish I could think of more ideas.

 -Aaron

On Tuesday 09 March 2004 04:35 am, barbara.ruess at allianz.de wrote:
> Hi Aaron,
> thanks, I got that :-)
> But this raises two more questions:
> 1) What does this part of the sudo documentation mean:
>
>  \x
>        For any character ``x'', evaluates to ``x''. This is used to escape
>        special characters such as: ``*'', ``?'', ``['', and ``}''.
>
>
> 2) My original problem is:  someone needs root access to something like  rm
> */mydirectory   or    rm /mydirectory/*/myfile
> If I do enter this in the sudoers file this also matches commands like rm
> file1 file2 /mydirectory   or  rm /mydirectory/file1  importanttfile
> /myfile, which means
> the user is able to remove everything.... Is there a solution for this?
> Regards, Barbara
>
>
>
>
> Barbara,
>
> When one runs: sudo ls *, the * character is interpreted by the current
> shell
> you are using.  It replaces the * character with a list of files in your
> own
> directory before passing it to sudo.  For example, if your directory
> contained three files (called one, two, three respectively), and you did a
> 'sudo ls *', sudo gets passed the options 'ls one three two'.  Next sudo
> tries to match it against '/usr/bin/ls *'.  Since sudo never receives the
> *,
> the comparison fails and the command is denied.
>
> However if you were to type 'sudo ls \*', then sudo actually gets passed
> the
> *.  However you have to train your users to put the back slash in.  (The
> backslash does not need to go into /etc/sudoers.)
>
> I hope this is helpfull.
>
>  -Aaron