[sudo-users] sudoers file - Limiting command line argument
Erwin Lam
erwinlam at dds.nl
Wed Jul 18 11:57:59 EDT 2012
On Wed, 18 Jul 2012 07:52:15 -0400, Kevin Shortt
<kevinshortt at gmail.com> wrote:
> I am in search for info on a regex type glob too and I know this is
> many months late, but have used a solution for this problem. I will
> share in hopes someone gets helped.
>
> I offer this example using the /bin/cat command. It is a bit robust,
> but provides /bin/cat with a fast glob anchored
> at /path/to/where_ever. I used the logfile owner as oracle, but if
> obviously if the logfile owner is not specified and used the /bin/cat
> will work when defaulted to root. This has been tested and
> obfuscated to protect the guilty, but mileage may vary.
>
> User_Alias ALLOW_VIEW = usera, userb, %viewgroup
> User_Alias LOG_OWNER = oracle
> Cmd_Alias CAT_PARENT = /bin/cat *../*
> Cmd_Alias VIEW_CMDS
> = /bin/cat /path/to/where_ever/*/*.log, !CAT_PARENT
>
> ALLOW_VIEW ALL=(LOG_OWNER) NOPASSWD: VIEW_CMDS
Do not allow blanks in the path/filename otherwise users can still
access other files.
Regards,
Erwin
--
Erwin Lam (erwinlam at dds.nl)
More information about the sudo-users
mailing list