[sudo-users] Allow the dir creation to one level only
Matthew Hannigan
mlh at zip.com.au
Fri Apr 15 02:22:25 EDT 2011
On Thu, Apr 14, 2011 at 09:37:10AM +1000, Matthew Hannigan wrote:
> On Wed, Apr 13, 2011 at 07:13:34AM -0700, Dempsey, Steve AZ wrote:
> > You may try a combination permit/deny rule such as:
> >
> >
> >
> > user ALL=(root) /bin/mkdir /data/*, !/bin/mkdir /data/*/*
> >
> >
> >
> > This worked in a simple test:
> >
> >
> >
> > host> sudo -l
> >
> > Authenticate with steved99's password:
> >
> > User steved99 may run the following commands on this host:
> >
> > (root) /bin/mkdir /opt/*, (root) !/bin/mkdir /opt/*/*
> >
> > host> sudo mkdir /opt/newdir
> >
> > host> sudo mkdir /opt/newdir/subdir
> >
> > Sorry, user steved99 is not allowed to execute '/bin/mkdir /opt/newdir/subdir' as root on host.
> >
>
> But it DOES allow
>
> sudo mkdir /opt/newdir/subdir/anothersubdir
>
> if /opt/newdir/subdir already exists. i.e. it only stops the second level
Steve has said that this does work by his testing. And testing again myself, I found it
does indeed work.
Apologies for the misinformation -- I don't know what went wrong in my tests the first time around !
More information about the sudo-users
mailing list