[sudo-users] Limiting arguments on a command
Tony G.
tonysk8 at gmx.net
Thu Feb 25 18:50:12 EST 2010
Hi Ian,
I don't think that CMD alias will work.
The rule: /bin/mkdir /apps/[[\:alpha\:]]*
matches your example(on the *bold "t"*) sudo /bin/mkdir /apps/*t*est1
/etc/foobar
As you are saying the command must start with /bin/mkdir /apps/*
<alfanumeric_char>*<The * is glob matching all including whitespaces or no
chars>
if you try sudo /bin/mkdir /apps/*<non_alpha_char>*est1 then it won't match
the rule and thus fail.
It might work if sudoers supports regex, but I'm not sure it does.
Besides relative paths might be injected..
sudo /rmdir * /apps/*t*est1/../../
Is this requried as root? If not you can let the user run any command as
that user. keeping that way the ownership.
On Wed, Feb 24, 2010 at 12:09 PM, Ian Goldstein <IGoldstein at jefferies.com>wrote:
> Hello,
>
> I am trying to implement sudo so that a user can maintain directories and
> permission's. I want to limit what can be on the command line to an
> argument. without necessarily creating a script wrapper
>
> Can somebody please help me figure out what I am missing?
>
>
> As an illustration, I have the following in my sudoers:
>
> User_Alias TEST_ADMIN=usera,userb
>
> Cmnd_Alias TEST_ADMIN_CMDS = \
> /bin/mkdir /apps/[[\:alpha\:]]* ,\
> /bin/rmdir /apps/[[\:alpha\:]]* ,\
> /bin/chown * /apps/[[\:alpha\:]]* ,\
> /bin/chmod * /apps/[[\:alpha\:]]*
>
>
>
> TEST_ADMIN ALL = (root) NOPASSWD:TEST_ADMIN_CMDS
>
> What this allows me to do as a user is
>
> sudo /bin/mkdir /apps/test1
>
> But it also allows me to run this which is not desirable
>
> sudo /bin/mkdir /apps/test1 /etc/foobar ( creates a directory in /etc
> called foobar.)
>
> Thanks
>
>
>
>
>
>
> Jefferies archives and monitors outgoing and incoming e-mail. The contents
> of this email, including any attachments, are confidential to the ordinary
> user of the email address to which it was addressed. If you are not the
> addressee of this email you may not copy, forward, disclose or otherwise use
> it or any part of it in any form whatsoever. This email may be produced at
> the request of regulators or in connection with civil litigation. Jefferies
> accepts no liability for any errors or omissions arising as a result of
> transmission. Use by other than intended recipients is prohibited. In the
> United Kingdom, Jefferies operates as Jefferies International Limited;
> registered in England: no. 1978621; registered office: Vintners Place, 68
> Upper Thames Street, London EC4V 3BJ. Jefferies International Limited is
> authorised and regulated by the Financial Services Authority.
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
--
Tony
More information about the sudo-users
mailing list