[sudo-users] Restricting characters in sudo commands
Paul Stepowski
p.stepowski at qut.edu.au
Thu Jun 15 20:45:22 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If this is not possible in sudo (maybe it is, but I've yet to figure out how),
could this be considered as a feature for sudo for a later release?
Using a wrapper script is not a scalable solution as there are many other
commands that can be exploited the same way. Commands including tail, cat, head
etc. all allow multiple files to be specified on the command line.
For all those out there who use these commands, you're allowing the user to read
any file on the file system that is readable by root.
Thanks,
Paul
Matthew Hannigan wrote:
> On Thu, Jun 15, 2006 at 04:03:46PM +1000, Paul Stepowski wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi list,
>>
>> I'm trying to restrict access to the 'mkdir' command so a user can only create a
>> directory in the specified subdirectory. e.g
>>
>> testuser testhost.example.com = (root) /bin/mkdir /tmp/[A-z0-9]*
>>
>> This works but it still allows a user to specify additional directories after
>> the first /tmp directory.
>>
>> e.g. sudo mkdir /tmp/testA testB
>>
>> will allow the user to create other directories, owned as root, anywhere on the
>> file system. How can I configure sudo so mkdir can only be fed one directory
>> name to create? Is this even possible with sudo?
>
> I don't think it is; write a wrapper.
>
> Matt
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFEkf8i4qOLghPAuV0RArXqAJsFG11zcZ42okyn/J0xlD265VvmkgCgvkWD
mwH4HRHsXF4eK3dB7IhMqtU=
=K4es
-----END PGP SIGNATURE-----
More information about the sudo-users
mailing list