[sudo-users] Expansion of nested Cmnd_Alias commands

Charles Marshall charles at wozi.com
Thu Apr 24 18:29:26 EDT 2008 

All,
So I have an environment where I am trying to have Cmnd_Alias  
definitions for groups of commands, and then Cmnd_Alias definitions  
for sets of Aliases so i can give a user access to certain things in  
certain environments (see the syntax below).

# Hack permission to give no access
Cmnd_Alias FALSE = /bin/false

# Allow users to manipulate files
Cmnd_Alias MANIP_FILES = /bin/cp, /bin/mv, /bin/rm, /bin/chmod, /bin/ 
mkdir

# Allow users to view files  (THIS HAS TO BE NOEXEC LOCKED!)
Cmnd_Alias VIEW_FILES = /usr/bin/less, /bin/cat, /bin/more, /bin/ 
grep, /usr/bin/tail

# Allow users to edit files
Cmnd_Alias EDIT_FILES = sudoedit

# Allow users to manage
Cmnd_Alias APP_MANAGE = /opt/APP/bin/, /bin/kill

# Cmnd_Aliases to allow users to become various users
Cmnd_Alias      SUAPPADMIN = /bin/su - appadmin

## Cmnd_Alias of Cmnd_Alias for Environments
Cmnd_Alias      APP_PROD = MANIP_FILES, APP_MANAGE, EDIT_FILES
Cmnd_Alias      APP_PROD_SU = FALSE	
Cmnd_Alias      APP_QA = MANIP_FILES, APP_MANAGE, EDIT_FILES, ALL
Cmnd_Alias      APP_QA_SU = FALSE
Cmnd_Alias      APP_DEV = MANIP_FILES, APP_MANAGE, EDIT_FILES, ALL
Cmnd_Alias      APP_DEV_SU = SUAPPADMIN

# Alias for appdevel group to do things, and become the appadmin user
Runas_Alias     APP = appadmin
%appdevel       +appprod = (root) APP_PROD_SU, (APP) APP_PROD, (APP)  
NOEXEC: VIEW_FILES
%appdevel       +appqa = (root) APP_QA_SU, (APP) APP_QA, (APP) NOEXEC:  
VIEW_FILES
%appdevel       +appdev = (root) APP_DEV_SU, (APP) APP_DEV, (APP)  
NOEXEC: VIEW_FILES


The issue is that when a user does "sudo -l" on the command line the  
user sees the following (of course on a server in the proper netgroup) :

cmarshall at server $ sudo -l
User cmarshall may run the following commands on this host:
     (root) SUAPPADMIN
     (appadmin) MANIP_FILES, APP_MANAGE, EDIT_FILES, ALL
     (appadmin) NOEXEC: /usr/bin/less, /bin/cat, /bin/more, /bin/ 
grep, /usr/bin/tail
cmarshall at server $

The issue is that my users, will inevitably bug me saying that they  
don't know what commands they can run from sudo.  Is there a way to  
have sudo show the expansion of the nested command aliases?

Thanks,
Charles

More information about the sudo-users mailing list