[sudo-users] fuzzy command acceptance?
Woodward, Andrew
andreww at telenav.com
Fri Apr 8 19:25:33 EDT 2011
That's what I thought. /bin/su hasn't been caring for the parameter order,
but instead I'm getting asked for my password by sudo instead of the command
running as expected with !authenticate or given an error depending on the
host.
(root) NOPASSWD: /bin/su oracle
$ sudo su oracle -
Sorry, user ... is not allowed to execute '/bin/su oracle -' as root on ....
$ sudo -V
Sudo version 1.7.4p4
On another host (sudoers is configured by LDAP BTW)
$ sudo su oracle -
Password:
Sorry, try again.
Password:
sudo: 1 incorrect password attempt
$ sudo -V
Sudo version 1.6.9p17
On yet another host:
$ sudo -u stacyy sudo su oracle -
Sorry, user ... is not allowed to execute '/bin/su oracle -' as root on ....
$ sudo -V
Sudo version 1.7.5
Andrew Woodward
-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
Sent: Thursday, April 07, 2011 8:19 AM
To: Woodward, Andrew
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] fuzzy command acceptance?
On Wed, 06 Apr 2011 17:49:20 PDT, "Woodward, Andrew" wrote:
> I thought this was working but might have been my imagination
>
> sudoCommand = "/bin/su mysqladmin"
>
> user types "sudo su mysqladmin -"
>
> I was expecting that to pass as OK, is there an option to allow this
> short of adding every permutation of the command, or do I have to add
> the * wildcard to the end?
The rule is that if there are any command line arguments specified in the
sudoers file they need to match what is given by the user.
So, for something like:
user host = /bin/su
The user would be able to run su, su -, su - mysqladmin, etc because no
arguments were specified. You may want something like:
user host = /bin/su mysqladmin, /bin/su - mysqladmin
Note that the '-' is an argument to su and should come before the user.
It's possible you are using a version of su that doesn't care about the
order, though (GNU getopt usually allows flags to be interspersed with other
arguments).
You can also use wildcards like '*', '?', as well as ranges.
- todd
More information about the sudo-users
mailing list