[sudo-users] Re: sudo question

Chris Jepeway jepeway at blasted-heath.com
Mon Nov 22 12:34:15 EST 2004

Hi Laura:

> I am using sudo in a University environment and need to limit the use 
> of sudo based on the filesystem the user is attempting to access.  
> Basically I have a group of sudoers who have full access (US citizens) 
> and a group that cannot have access to one particular filesystem 
> (these folks are Non-US citizens).
> Is there a way in the sudoers file to specify a user alias that cannot 
> access a particular filesystem with sudo command?
> Thanks for your time,
> lt

I haven't been involved with the inner workings of sudo
for about a decade, now.  Todd's the sudo maintainer,
and he provides commercial support for it if you need it.
Also, I'm cc'ing my reply to the sudo-users list, where
there are piles of friendly people that might know how to
help you out.

That said, here's an idea or two on how to solve your problem.

One thing that's fairly easy to do is run all the
non-US citizen's sudo commands through a script
or binary executable that disallows any references
to the restricted file system.  Something like

	for arg in "$@" ; do
		# Iterate over pathname components of arg to see if any
		# of them reference $RESTRICTEDFS
		IFS=/ for i in "$arg" ; do
			if [ -f "$fpath" -o -d "$fpath" ] ; then
				fs=` df 2> /dev/null "$fpath" | awk '{last = $NF} END { print last 
}' `
				if [ "$fs" = $RESTRICTEDFS ] ; then
					echo 1>&2 Sorry, you cannot use the restricted file system 
				elif [ -z "$fs" ] ; then
					echo 1>&2 Sorry, I got confused and can't tell the filesystem for 
					exit 1
	exec "$@"

This is more by way of illustration than any kind of guarantee
that script will do what you want.  The shell isn't really
the safest language to implement this sort of thing in, eg;
a compiled C program would be better.

Besides, this approach isn't really general enough: it's easy
for somebody to just stuff the commands they want to run
into their own shell script, run that if sudo lets them,
and then the snippet above won't ever see any restricted

Another approach would be to modify the sudo_noexec.c library
to include checks for system calls like open() that operate
on pathnames.  You'd do the same kind of checks as the script above:
statvfs() (or the like) the components of the pathnames, and return
EACCES for any paths pointing to the restricted filesystem.

This is the better approach.  Off the top of my head
you'll need to implement dummy functions for open()
and creat(), but I bet there are others I can't think of.
Hm, like symlink().

The noexec features of sudo went in long after I did
any sudo development, so take this idea with a grain of salt.
I think it'll work, but I've never tried it.

Finally, if your O/S supports systrace, you might be
able to write a policy for the restricted users that
keeps them from referencing the off-limits file system.
I'm not sure this would work, though, since I'm not familiar
with systrace.  There might problems detecting the non-US
citizens once sudo has switched to UID 0, eg.

Good luck.

Chris <jepeway at blasted-heath.com>.
Thomas Jefferson, appearing on US currency everywhere,
had this to say writing _Notes on Virginia_ in 1782:

   The legitimate powers of government extend to such acts
   only as are injurious to others.  But it does me no injury
   for my neighbor to say there are twenty gods or no God.
   It neither picks my pocket nor breaks my leg.

More information about the sudo-users mailing list