[sudo-users] Allow the dir creation to one level only

JR Aquino JR.Aquino at citrix.com
Fri Apr 15 05:10:34 EDT 2011

On Apr 14, 2011, at 11:22 PM, Matthew Hannigan wrote:

On Thu, Apr 14, 2011 at 09:37:10AM +1000, Matthew Hannigan wrote:
On Wed, Apr 13, 2011 at 07:13:34AM -0700, Dempsey, Steve AZ wrote:
You may try a combination permit/deny rule such as:

user  ALL=(root) /bin/mkdir /data/*, !/bin/mkdir /data/*/*

This worked in a simple test:

host> sudo -l

Authenticate with steved99's password:

User steved99 may run the following commands on this host:

   (root) /bin/mkdir /opt/*, (root) !/bin/mkdir /opt/*/*

host> sudo mkdir /opt/newdir

host> sudo mkdir /opt/newdir/subdir

Sorry, user steved99 is not allowed to execute '/bin/mkdir /opt/newdir/subdir' as root on host.

But it DOES allow

   sudo mkdir /opt/newdir/subdir/anothersubdir

if /opt/newdir/subdir already exists.  i.e. it only stops the second level

Steve has said that this does work by his testing.  And testing again myself, I found it
does indeed work.

Apologies for the misinformation -- I don't know what went wrong in my tests the first time around !

Just as a precaution, I would verify that you are not able to do something like:

sudo mkdir /opt/newdir/../../newdir

More information about the sudo-users mailing list