[sudo-users] Using wildcards in sudoers file

megadethpaw megadethpaw megadethpaw at hotmail.co.uk
Tue Sep 29 15:01:03 EDT 2009 

Hi Robin,
I did hope that there would be a way that you could end the sudo command string, say as you can do by placing "" after a command to state no parameters are allowed.
Maybe an idea would be if the sudoers parser could see "" at the end of a command line and say that if a space appears and then any other text it's invalid, eg
/usr/bin/chown root /usr/sap/trans/[A-z]* ""
I know it's far from perfect as a filename could in theory have a space in it, but for 99% of cases I would imagine something such as the above would do the trick.
Thanks for the suggestion though Robin, all ideas gratefully accepted.
Jeff

> From: Robin.Battersby-Cornmell at uisl.unisys.com
> To: megadethpaw at hotmail.co.uk; sudo-users at sudo.ws
> Date: Tue, 29 Sep 2009 17:10:34 +0100
> Subject: RE: [sudo-users] Using wildcards in sudoers file
> 
> 
> One potential way would be to script the "sudo chown ......" and validate somehow, e.g.
> 
> 	#!/bin/ksh
> 	#
> 	# Rough and ready chown script
> 	#
> 	
> 	newowner=$1
> 	shift			# Drop $1 from parameter list
> 	for file in $@	# Loop for all subsequent parameters
> 	do
> 	   if [ ## Work out your file matching criteria here ## ]
> 	   then
> 	      chown $newowner $file
> 	   else
> 	      echo "Change of ownership on $file not allowed"
> 	   fi
> 	done
> 
> 
> Then secure the script and grant a specific sudo rule to allow the specific user to run it.
> 
> Of course, there is no error checking written here really.  You should test that the target file does actually exist else the user will get other splattery messages.
> 
> 
> 
> 
> I hope that this helps.
> 
> Robin
> 
> 
> -----Original Message-----
> From: megadethpaw megadethpaw [mailto:megadethpaw at hotmail.co.uk] 
> Sent: Tuesday, September 29, 2009 2:52 PM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] Using wildcards in sudoers file
> 
> 
> Hi,
> I want to be able to give a user permission to use the "/usr/bin/chown" command on solaris using sudo, but only want them to be able to change files or directories under a certain directory, eg "/usr/sap/trans" and any directories underneath.
> Examples of commands I want to allow to run are:- /usr/bin/chown oracle /usr/sap/trans/file1.txt/usr/bin/chown brian /usr/sap/trans/data/filter.csv In the sudoers file I set up the command to allow to run as this:- /usr/bin/chown [A-z]* /usr/sap/trans/[A-z]* This works for the above two commands I do want to use, but it also allows things like this:- /usr/bin/chown brian /usr/sap/trans/data/filter.csv /etc/passwd Now as you can see this is a major problem as don't want to allow that, I basically want to make sure that the chown starts with "/usr/sap/trans" is there any way I can do this?
> Is there a way to exclude spaces from [A-z] in the suduers line?
> Please help as I really need to get this working.
> Thanks Jeff 		 	   		  
> _________________________________________________________________
> Share your photos with Windows Live Photos - Free.
> http://clk.atdmt.com/UKM/go/134665338/direct/01/
> 
> ***********************************
> 
> This email is sent in confidence for the addressee only.
> 
> Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by returning the original email to us without reading it, taking a copy or disclosing it to anyone else. Please also destroy and delete the email from your computer.
> 
> We have taken reasonable precautions to ensure that no viruses are transmitted to any third party. Unisys Insurance Services Limited does not accept any responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents.
> 
> Unisys Insurance Services Limited is authorised and regulated by the Financial Services Authority, is a member of the UNISYS group of companies and provides outsourcing services to the Financial Services Industry
> 
> Unisys Insurance Services Limited Registered in England No. 4087012
> Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG
 		 	   		  
_________________________________________________________________

MSN straight to your mobile - news, entertainment, videos and more.

http://clk.atdmt.com/UKM/go/147991039/direct/01/

More information about the sudo-users mailing list