[sudo-users] fuzzy command acceptance?

Todd C. Miller Todd.Miller at courtesan.com
Thu Apr 7 11:19:03 EDT 2011

On Wed, 06 Apr 2011 17:49:20 PDT, "Woodward, Andrew" wrote:

> I thought this was working but might have been my imagination
> sudoCommand = "/bin/su mysqladmin"
> user types "sudo su mysqladmin -"
> I was expecting that to pass as OK, is there an option to allow this short
> of adding every permutation of the command, or do I have to add the *
> wildcard to the end?

The rule is that if there are any command line arguments specified
in the sudoers file they need to match what is given by the user.
So, for something like:

    user host = /bin/su

The user would be able to run su, su -, su - mysqladmin, etc because
no arguments were specified.  You may want something like:

    user host = /bin/su mysqladmin, /bin/su - mysqladmin

Note that the '-' is an argument to su and should come before the
user.  It's possible you are using a version of su that doesn't
care about the order, though (GNU getopt usually allows flags to
be interspersed with other arguments).

You can also use wildcards like '*', '?', as well as ranges.

 - todd

More information about the sudo-users mailing list