[sudo-users] Allow the dir creation to one level only
Matthew Hannigan
mlh at zip.com.au
Wed Apr 13 19:37:10 EDT 2011
On Wed, Apr 13, 2011 at 07:13:34AM -0700, Dempsey, Steve AZ wrote:
> You may try a combination permit/deny rule such as:
>
>
>
> user ALL=(root) /bin/mkdir /data/*, !/bin/mkdir /data/*/*
>
>
>
> This worked in a simple test:
>
>
>
> host> sudo -l
>
> Authenticate with steved99's password:
>
> User steved99 may run the following commands on this host:
>
> (root) /bin/mkdir /opt/*, (root) !/bin/mkdir /opt/*/*
>
> host> sudo mkdir /opt/newdir
>
> host> sudo mkdir /opt/newdir/subdir
>
> Sorry, user steved99 is not allowed to execute '/bin/mkdir /opt/newdir/subdir' as root on host.
>
But it DOES allow
sudo mkdir /opt/newdir/subdir/anothersubdir
if /opt/newdir/subdir already exists. i.e. it only stops the second level
This might be ok. OTOH yet again, using ! almost always has bugs.
Dont use !
Use a wrapper. It's no more difficult to get someone to use a wrapper compared
to running sudo mkdir ...
If you want to get fancy, you can call the wrapper mkdir and put it in dir
that is first in the user's PATH. The wrapper can call sudo if the arg is /opt/newdir/something
or just call /bin/mkdir otherwise.
Matt
More information about the sudo-users
mailing list