[sudo-users] Checksum for executed scripts
Todd C. Miller
Todd.Miller at courtesan.com
Tue Aug 20 08:16:40 MDT 2013
You are in luck, sudo 1.8.7 added support for SHA-2 digests
(checksums) of commands. To use it you place the digest
before the command. For example:
someuser ALL = \
sha224:118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 \
/home/oracle/root.sh
It is often cleaner to group the command and digest together in
a Cmnd_Alias instead.
Cmnd_Alias ORACLE_ROOT_SH = \
sha224:118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
You can also use base64 encoding of the digest which is a bit more
compact. See the sudoers manual for more details (search for digest
and sha2) http://www.sudo.ws/sudo/man/1.8.7/sudoers.man.html
- todd
More information about the sudo-users
mailing list