[sudo-users] fuzzy command acceptance?

Woodward, Andrew andreww at telenav.com
Fri Apr 8 19:25:33 EDT 2011

That's what I thought. /bin/su hasn't been caring for the parameter order,
but instead I'm getting asked for my password by sudo instead of the command
running as expected with !authenticate or given an error depending on the

(root) NOPASSWD: /bin/su oracle
$ sudo su oracle -
Sorry, user ... is not allowed to execute '/bin/su oracle -' as root on ....
$ sudo -V
Sudo version 1.7.4p4

On another host (sudoers is configured by LDAP BTW)
$ sudo su oracle -
Sorry, try again.
sudo: 1 incorrect password attempt
$ sudo -V
Sudo version 1.6.9p17 

On yet another host:
$ sudo -u stacyy sudo su oracle -
Sorry, user ... is not allowed to execute '/bin/su oracle -' as root on ....
$ sudo -V
Sudo version 1.7.5

Andrew Woodward

-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
Sent: Thursday, April 07, 2011 8:19 AM
To: Woodward, Andrew
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] fuzzy command acceptance?

On Wed, 06 Apr 2011 17:49:20 PDT, "Woodward, Andrew" wrote:

> I thought this was working but might have been my imagination
> sudoCommand = "/bin/su mysqladmin"
> user types "sudo su mysqladmin -"
> I was expecting that to pass as OK, is there an option to allow this 
> short of adding every permutation of the command, or do I have to add 
> the * wildcard to the end?

The rule is that if there are any command line arguments specified in the
sudoers file they need to match what is given by the user.
So, for something like:

    user host = /bin/su

The user would be able to run su, su -, su - mysqladmin, etc because no
arguments were specified.  You may want something like:

    user host = /bin/su mysqladmin, /bin/su - mysqladmin

Note that the '-' is an argument to su and should come before the user.
It's possible you are using a version of su that doesn't care about the
order, though (GNU getopt usually allows flags to be interspersed with other

You can also use wildcards like '*', '?', as well as ranges.

 - todd

More information about the sudo-users mailing list