[sudo-users] Cmnd_Alias mystery

Battersby-Cornmell, Robin Alasdair Robin.Battersby-Cornmell at uisl.unisys.com
Thu Jul 17 04:30:30 EDT 2008 

I would think that it is interpreted as a two step process. 

What you would find is that as the command alias for SH=/usr/bin/*sh is
expanded, it finds no files to match and therefore evaluates to SH=
<NULL>, hence the directive is that user_x can run anything except.
Yes, deliberately truncated that sentence.

In you format without the alias, I'm assuming that the directive
actually reads the command string and tries to match the !/usr/bin/*sh
directly.



I hope that this helps.




Robin Battersby-Cornmell
Unisys, Liverpool


-----Original Message-----
From: Matt Marchione [mailto:mmarchio at coat.com] 
Sent: Tuesday, July 15, 2008 10:32 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] Cmnd_Alias mystery


I've been trying to solve an unusual problem with a Cmnd alias that
we've been having and I've figured out what was causing it, but don't
understand why.

Given:
Cmnd_Alias	SH=/usr/bin/*sh

user_x		ALL=(ALL) NOPASSWD:ALL,!SH

To allow "user_x" to run any command except commands in /usr/bin that
end with 'sh'. However this result occurs when executing:

 > sudo /bin/ls
Sorry, user user_x is not allowed to execute '/bin/ls' as root on host.
 >


However, if the sudoers is setup as follows the command works:

user_x		ALL=(ALL) NOPASSWD:ALL,!/usr/bin/*sh



The culprit in this case turned out to be /usr/bin/sh was not present;
link, binary or otherwise. Once /usr/bin/sh was put in place, the alias
form worked correctly. I would have thought that sudo wouldn't care if
it exists or not with the wild card alias. Can anyone shed some light on
this?

The platform this was occurring on is SuSE-SLES 10. The sudo version is
1.6.9p13 and compiled from source, not a pre-built RPM. Any help would
be appreciated.

Thanks,
MattM




***********************************

This email is sent in confidence for the addressee only.

Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by returning the original email to us without reading it, taking a copy or disclosing it to anyone else. Please also destroy and delete the email from your computer.

We have taken reasonable precautions to ensure that no viruses are transmitted to any third party. Unisys Insurance Services Limited does not accept any responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents.

Unisys Insurance Services Limited is authorised and regulated by the Financial Services Authority, is a member of the UNISYS group of companies and provides outsourcing services to the Financial Services Industry

Unisys Insurance Services Limited Registered in England No. 4087012
Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG

More information about the sudo-users mailing list