[sudo-users] Limiting arguments on a command

Tony G. tonysk8 at gmx.net
Thu Feb 25 18:50:12 EST 2010


Hi Ian,

I don't think that CMD alias will work.

The rule: /bin/mkdir /apps/[[\:alpha\:]]*

matches your example(on the *bold "t"*) sudo /bin/mkdir /apps/*t*est1
/etc/foobar

As you are saying the command must start with /bin/mkdir /apps/*
<alfanumeric_char>*<The * is glob matching all including whitespaces or no
chars>

if you try sudo /bin/mkdir /apps/*<non_alpha_char>*est1 then it won't match
the rule and thus fail.

It might work if sudoers supports regex, but I'm not sure it does.

Besides relative paths might be injected..
sudo /rmdir * /apps/*t*est1/../../

Is this requried as root?  If not you can let the user run any command as
that user. keeping that way the ownership.


On Wed, Feb 24, 2010 at 12:09 PM, Ian Goldstein <IGoldstein at jefferies.com>wrote:

> Hello,
>
> I am trying to implement sudo so that a user can maintain directories and
> permission's.  I want to limit what can be on the command line to an
> argument. without necessarily creating a script wrapper
>
> Can somebody please help me figure out what I am missing?
>
>
> As an illustration, I have the following in my sudoers:
>
> User_Alias      TEST_ADMIN=usera,userb
>
> Cmnd_Alias      TEST_ADMIN_CMDS =      \
>                /bin/mkdir /apps/[[\:alpha\:]]*    ,\
>                /bin/rmdir /apps/[[\:alpha\:]]*    ,\
>                /bin/chown * /apps/[[\:alpha\:]]*  ,\
>                /bin/chmod * /apps/[[\:alpha\:]]*
>
>
>
> TEST_ADMIN      ALL = (root) NOPASSWD:TEST_ADMIN_CMDS
>
> What this allows me to do as a user is
>
> sudo /bin/mkdir /apps/test1
>
> But it also allows me to run this which is not desirable
>
> sudo /bin/mkdir /apps/test1 /etc/foobar   ( creates a directory in /etc
> called foobar.)
>
> Thanks
>
>
>
>
>
>
> Jefferies archives and monitors outgoing and incoming e-mail. The contents
> of this email, including any attachments, are confidential to the ordinary
> user of the email address to which it was addressed. If you are not the
> addressee of this email you may not copy, forward, disclose or otherwise use
> it or any part of it in any form whatsoever. This email may be produced at
> the request of regulators or in connection with civil litigation. Jefferies
> accepts no liability for any errors or omissions arising as a result of
> transmission. Use by other than intended recipients is prohibited.  In the
> United Kingdom, Jefferies operates as Jefferies International Limited;
> registered in England: no. 1978621; registered office: Vintners Place, 68
> Upper Thames Street, London EC4V 3BJ.  Jefferies International Limited is
> authorised and regulated by the Financial Services Authority.
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>



-- 
Tony



More information about the sudo-users mailing list