[sudo-users] Using wildcards in sudoers file

Battersby-Cornmell, Robin Alasdair Robin.Battersby-Cornmell at uisl.unisys.com
Tue Sep 29 12:10:34 EDT 2009


One potential way would be to script the "sudo chown ......" and validate somehow, e.g.

	#!/bin/ksh
	#
	# Rough and ready chown script
	#
	
	newowner=$1
	shift			# Drop $1 from parameter list
	for file in $@	# Loop for all subsequent parameters
	do
	   if [ ## Work out your file matching criteria here ## ]
	   then
	      chown $newowner $file
	   else
	      echo "Change of ownership on $file not allowed"
	   fi
	done


Then secure the script and grant a specific sudo rule to allow the specific user to run it.

Of course, there is no error checking written here really.  You should test that the target file does actually exist else the user will get other splattery messages.




I hope that this helps.

Robin


-----Original Message-----
From: megadethpaw megadethpaw [mailto:megadethpaw at hotmail.co.uk] 
Sent: Tuesday, September 29, 2009 2:52 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] Using wildcards in sudoers file


Hi,
I want to be able to give a user permission to use the "/usr/bin/chown" command on solaris using sudo, but only want them to be able to change files or directories under a certain directory, eg "/usr/sap/trans" and any directories underneath.
Examples of commands I want to allow to run are:- /usr/bin/chown oracle /usr/sap/trans/file1.txt/usr/bin/chown brian /usr/sap/trans/data/filter.csv In the sudoers file I set up the command to allow to run as this:- /usr/bin/chown [A-z]* /usr/sap/trans/[A-z]* This works for the above two commands I do want to use, but it also allows things like this:- /usr/bin/chown brian /usr/sap/trans/data/filter.csv /etc/passwd Now as you can see this is a major problem as don't want to allow that, I basically want to make sure that the chown starts with "/usr/sap/trans" is there any way I can do this?
Is there a way to exclude spaces from [A-z] in the suduers line?
Please help as I really need to get this working.
Thanks Jeff 		 	   		  
_________________________________________________________________
Share your photos with Windows Live Photos - Free.
http://clk.atdmt.com/UKM/go/134665338/direct/01/

***********************************

This email is sent in confidence for the addressee only.

Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by returning the original email to us without reading it, taking a copy or disclosing it to anyone else. Please also destroy and delete the email from your computer.

We have taken reasonable precautions to ensure that no viruses are transmitted to any third party. Unisys Insurance Services Limited does not accept any responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents.

Unisys Insurance Services Limited is authorised and regulated by the Financial Services Authority, is a member of the UNISYS group of companies and provides outsourcing services to the Financial Services Industry

Unisys Insurance Services Limited Registered in England No. 4087012
Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG



More information about the sudo-users mailing list