[sudo-users] Problem with shell wildcard
p.stepowski at qut.edu.au
Wed Mar 7 00:34:27 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Matthew Hannigan wrote:
> On Wed, Mar 07, 2007 at 11:57:18AM +1000, Paul Stepowski wrote:
>> But sudo should get around that, because I'm running the command as root, right?
> yes, but the shell, running as you, tries to expand * before running the command.
>> The sudo syslogs seem to indicate that sudo is receiving the command exactly as
>> passed from the shell.
>> Mar 7 11:40:17 css-ps sudo: stepowski : TTY=pts/2 ; PWD=/home/stepowski ;
>> USER=root ; COMMAND=/bin/ls -l /var/log/httpd/*
>> It seems that sudo is getting confused by the shell wildcard character "*" for
>> some reason and it can't find the files.
> THat's because the command is run directly, not via the shell. So * doesn't
> get expanded. It looks for a literal *.
>> This is quite annoying. I can get around this for the "ls" command by using
>> sudo ls -l /var/log/httpd/
>> But, if I want to do a grep, I'm stuck.
>> $ sudo grep GET /var/log/httpd/*
>> grep: /var/log/httpd/*: No such file or directory
>> Can someone please explain this. This is starting to annoy my system
>> administrators. Is this a bug or a feature?
> It's a bug AND a feature! :-)
This is what I suspected. The user shell tries to expand the * and can't,
because it doesn't have permission. So it passes the "ls -l /var/log/httpd/*"
to sudo intact. Sudo runs the command by calling exec(), rather than a shell so
the wildcard isn't expanded. This makes sense when I think about it, but to
your average user, it's confusing.
> I'd relax the perms to allow admins to read the logs without sudo.
Not an option. The ls -l example is but one contrived example that demonstrates
the problem. You'd be talking about changing permissions on many directories to
group and/or all users read. This is a bad idea.
A fix might be to include a feature in sudo (disabled by default) to expand
wildcards in commands. Most shells expend "*" in the same way, so you wouldn't
have to worry about what shell the user is using, in most cases. It could get
hairy if you wanted to expand other characters via the shell, but I'd be more
than happy with just "*".
Is there any chance of this sort of feature being included in a later release of
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the sudo-users