[sudo-users] Expansion of nested Cmnd_Alias commands
Charles Marshall
charles at wozi.com
Thu Apr 24 18:29:26 EDT 2008
All,
So I have an environment where I am trying to have Cmnd_Alias
definitions for groups of commands, and then Cmnd_Alias definitions
for sets of Aliases so i can give a user access to certain things in
certain environments (see the syntax below).
# Hack permission to give no access
Cmnd_Alias FALSE = /bin/false
# Allow users to manipulate files
Cmnd_Alias MANIP_FILES = /bin/cp, /bin/mv, /bin/rm, /bin/chmod, /bin/
mkdir
# Allow users to view files (THIS HAS TO BE NOEXEC LOCKED!)
Cmnd_Alias VIEW_FILES = /usr/bin/less, /bin/cat, /bin/more, /bin/
grep, /usr/bin/tail
# Allow users to edit files
Cmnd_Alias EDIT_FILES = sudoedit
# Allow users to manage
Cmnd_Alias APP_MANAGE = /opt/APP/bin/, /bin/kill
# Cmnd_Aliases to allow users to become various users
Cmnd_Alias SUAPPADMIN = /bin/su - appadmin
## Cmnd_Alias of Cmnd_Alias for Environments
Cmnd_Alias APP_PROD = MANIP_FILES, APP_MANAGE, EDIT_FILES
Cmnd_Alias APP_PROD_SU = FALSE
Cmnd_Alias APP_QA = MANIP_FILES, APP_MANAGE, EDIT_FILES, ALL
Cmnd_Alias APP_QA_SU = FALSE
Cmnd_Alias APP_DEV = MANIP_FILES, APP_MANAGE, EDIT_FILES, ALL
Cmnd_Alias APP_DEV_SU = SUAPPADMIN
# Alias for appdevel group to do things, and become the appadmin user
Runas_Alias APP = appadmin
%appdevel +appprod = (root) APP_PROD_SU, (APP) APP_PROD, (APP)
NOEXEC: VIEW_FILES
%appdevel +appqa = (root) APP_QA_SU, (APP) APP_QA, (APP) NOEXEC:
VIEW_FILES
%appdevel +appdev = (root) APP_DEV_SU, (APP) APP_DEV, (APP)
NOEXEC: VIEW_FILES
The issue is that when a user does "sudo -l" on the command line the
user sees the following (of course on a server in the proper netgroup) :
cmarshall at server $ sudo -l
User cmarshall may run the following commands on this host:
(root) SUAPPADMIN
(appadmin) MANIP_FILES, APP_MANAGE, EDIT_FILES, ALL
(appadmin) NOEXEC: /usr/bin/less, /bin/cat, /bin/more, /bin/
grep, /usr/bin/tail
cmarshall at server $
The issue is that my users, will inevitably bug me saying that they
don't know what commands they can run from sudo. Is there a way to
have sudo show the expansion of the nested command aliases?
Thanks,
Charles
More information about the sudo-users
mailing list