[sudo-users] Cmnd_Alias mystery

Burns, Richard richard.burns at rbc.com
Thu Jul 17 09:22:09 EDT 2008 

Try you rule as such; 

user_x 	ALL=(ALL) NOPASSWD (ALL), NOEXEC: /usr/bin

Then you cannot even exit "vi" into the shell, as the NOEXEC flag
prevents it. We've tested this at version 1.6.8p12.

Richard Burns
Mid Range Systems: Senior Technical Engineer
416-348-4067

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of
Battersby-Cornmell,Robin Alasdair
Sent: 2008, July, 17 4:31 AM
To: Matt Marchione; sudo-users at sudo.ws
Subject: Re: [sudo-users] Cmnd_Alias mystery


I would think that it is interpreted as a two step process. 

What you would find is that as the command alias for SH=/usr/bin/*sh is
expanded, it finds no files to match and therefore evaluates to SH=
<NULL>, hence the directive is that user_x can run anything except.
Yes, deliberately truncated that sentence.

In you format without the alias, I'm assuming that the directive
actually reads the command string and tries to match the !/usr/bin/*sh
directly.



I hope that this helps.




Robin Battersby-Cornmell
Unisys, Liverpool


-----Original Message-----
From: Matt Marchione [mailto:mmarchio at coat.com] 
Sent: Tuesday, July 15, 2008 10:32 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] Cmnd_Alias mystery


I've been trying to solve an unusual problem with a Cmnd alias that
we've been having and I've figured out what was causing it, but don't
understand why.

Given:
Cmnd_Alias	SH=/usr/bin/*sh

user_x		ALL=(ALL) NOPASSWD:ALL,!SH

To allow "user_x" to run any command except commands in /usr/bin that
end with 'sh'. However this result occurs when executing:

 > sudo /bin/ls
Sorry, user user_x is not allowed to execute '/bin/ls' as root on host.
 >


However, if the sudoers is setup as follows the command works:

user_x		ALL=(ALL) NOPASSWD:ALL,!/usr/bin/*sh



The culprit in this case turned out to be /usr/bin/sh was not present;
link, binary or otherwise. Once /usr/bin/sh was put in place, the alias
form worked correctly. I would have thought that sudo wouldn't care if
it exists or not with the wild card alias. Can anyone shed some light on
this?

The platform this was occurring on is SuSE-SLES 10. The sudo version is
1.6.9p13 and compiled from source, not a pre-built RPM. Any help would
be appreciated.

Thanks,
MattM




***********************************

This email is sent in confidence for the addressee only.

Unauthorised recipients must preserve this confidentiality and should
please advise the sender immediately by returning the original email to
us without reading it, taking a copy or disclosing it to anyone else.
Please also destroy and delete the email from your computer.

We have taken reasonable precautions to ensure that no viruses are
transmitted to any third party. Unisys Insurance Services Limited does
not accept any responsibility for any loss or damage resulting directly
or indirectly from the use of this email or its contents.

Unisys Insurance Services Limited is authorised and regulated by the
Financial Services Authority, is a member of the UNISYS group of
companies and provides outsourcing services to the Financial Services
Industry

Unisys Insurance Services Limited Registered in England No. 4087012
Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG
____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
_______________________________________________________________________

This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations.
Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.  

Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent.
Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite.
Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen.

More information about the sudo-users mailing list