[sudo-users] sudoers file - Limiting command line argument
kevinshortt at gmail.com
Wed Jul 18 07:52:15 EDT 2012
I am in search for info on a regex type glob too and I know this is many
months late, but have used a solution for this problem. I will share in
hopes someone gets helped.
I offer this example using the /bin/cat command. It is a bit robust, but
provides /bin/cat with a fast glob anchored at /path/to/where_ever. I used
the logfile owner as oracle, but if obviously if the logfile owner is not
specified and used the /bin/cat will work when defaulted to root. This has
been tested and obfuscated to protect the guilty, but mileage may vary.
User_Alias ALLOW_VIEW = usera, userb, %viewgroup
User_Alias LOG_OWNER = oracle
Cmd_Alias CAT_PARENT = /bin/cat *../*
Cmd_Alias VIEW_CMDS = /bin/cat /path/to/where_ever/*/*.log, !CAT_PARENT
ALLOW_VIEW ALL=(LOG_OWNER) NOPASSWD: VIEW_CMDS
I hope this helps someone.
On Mon, Feb 27, 2012 at 2:32 PM, b. nyec <bnyec at yahoo.com> wrote:
> I know this has been asked many times, but i am unable to find a solid
> I just need to exclude or restrict one or two command line arguments from
> an allowed command.
> Allow the command /path/to/command to be run with ALL arguments except for
> "-a" and "--argument"
> So for example,
> /path/to/command -myarg bla -secdarg bla2 - would be allowed
> /path/to/command -myarg bla -a -secdarg bla2 - would NOT be allowed
> /path/to/command -myarg bla -secdarg bla2 -a - would NOT be allowed
> /path/to/command --argument -myarg bla -secdarg bla2 - would NOT be allowed
> What would be the regex for something like this? trial and error, i'm not
> able to get it to work properly.
> I have seen suggestions a little less elegant of creating a "wrapper
> script", would this the only real alternative/correct way ?
> Thanks for you time.
> - B
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users