[sudo-users] Restricting characters in sudo commands
p.stepowski at qut.edu.au
Thu Jun 15 20:45:22 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
If this is not possible in sudo (maybe it is, but I've yet to figure out how),
could this be considered as a feature for sudo for a later release?
Using a wrapper script is not a scalable solution as there are many other
commands that can be exploited the same way. Commands including tail, cat, head
etc. all allow multiple files to be specified on the command line.
For all those out there who use these commands, you're allowing the user to read
any file on the file system that is readable by root.
Matthew Hannigan wrote:
> On Thu, Jun 15, 2006 at 04:03:46PM +1000, Paul Stepowski wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Hi list,
>> I'm trying to restrict access to the 'mkdir' command so a user can only create a
>> directory in the specified subdirectory. e.g
>> testuser testhost.example.com = (root) /bin/mkdir /tmp/[A-z0-9]*
>> This works but it still allows a user to specify additional directories after
>> the first /tmp directory.
>> e.g. sudo mkdir /tmp/testA testB
>> will allow the user to create other directories, owned as root, anywhere on the
>> file system. How can I configure sudo so mkdir can only be fed one directory
>> name to create? Is this even possible with sudo?
> I don't think it is; write a wrapper.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the sudo-users