[sudo-users] sudoers file - Limiting command line argument

Erwin Lam erwinlam at dds.nl
Wed Jul 18 11:57:59 EDT 2012

On Wed, 18 Jul 2012 07:52:15 -0400, Kevin Shortt
<kevinshortt at gmail.com> wrote:

> I am in search for info on a regex type glob too and I know this is
> many months late, but have used a solution for this problem.  I will
> share in hopes someone gets helped.
> I offer this example using the /bin/cat command. It is a bit robust,
> but provides /bin/cat with a fast glob anchored
> at /path/to/where_ever.  I used the logfile owner as oracle, but if
> obviously if the logfile owner is not specified and used the /bin/cat
> will work when defaulted to root.  This has been tested and
> obfuscated to protect the guilty, but mileage may vary.
> User_Alias ALLOW_VIEW = usera, userb, %viewgroup
> User_Alias LOG_OWNER  = oracle
> Cmd_Alias  CAT_PARENT  = /bin/cat *../*
> Cmd_Alias  VIEW_CMDS
> = /bin/cat /path/to/where_ever/*/*.log, !CAT_PARENT

Do not allow blanks in the path/filename otherwise users can still
access other files.


Erwin Lam (erwinlam at dds.nl)

More information about the sudo-users mailing list