[sudo-users] sudoers file - Limiting command line argument

Kevin Shortt kevinshortt at gmail.com
Wed Jul 18 07:52:15 EDT 2012

I am in search for info on a regex type glob too and I know this is many
months late, but have used a solution for this problem.  I will share in
hopes someone gets helped.

I offer this example using the /bin/cat command. It is a bit robust, but
provides /bin/cat with a fast glob anchored at /path/to/where_ever.  I used
the logfile owner as oracle, but if obviously if the logfile owner is not
specified and used the /bin/cat will work when defaulted to root.  This has
been tested and obfuscated to protect the guilty, but mileage may vary.

User_Alias ALLOW_VIEW = usera, userb, %viewgroup
User_Alias LOG_OWNER  = oracle
Cmd_Alias  CAT_PARENT  = /bin/cat *../*
Cmd_Alias  VIEW_CMDS   = /bin/cat /path/to/where_ever/*/*.log, !CAT_PARENT


I hope this helps someone.


On Mon, Feb 27, 2012 at 2:32 PM, b. nyec <bnyec at yahoo.com> wrote:

> Hi,
> I know this has been asked many times, but i am unable to find a solid
> answer/solution.
> I just need to exclude or restrict one or two command line arguments from
> an allowed command.
> Logic:
> Allow the command /path/to/command to be run with ALL arguments except for
> "-a" and "--argument"
> So for example,
> /path/to/command -myarg bla -secdarg bla2 - would be allowed
> /path/to/command -myarg bla -a -secdarg bla2 - would NOT be allowed
> /path/to/command -myarg bla -secdarg bla2 -a - would NOT be allowed
> /path/to/command --argument -myarg bla -secdarg bla2 - would NOT be allowed
> etc....
> What would be the regex for something like this? trial and error, i'm not
> able to get it to work properly.
> I have seen suggestions a little less elegant of creating a "wrapper
> script", would this the only real alternative/correct way ?
> Thanks for you time.
> - B
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list