[sudo-users] Checksum for executed scripts

Todd C. Miller Todd.Miller at courtesan.com
Tue Aug 20 08:16:40 MDT 2013

You are in luck, sudo 1.8.7 added support for SHA-2 digests
(checksums) of commands.  To use it you place the digest
before the command.  For example:

someuser ALL = \
    sha224:118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 \

It is often cleaner to group the command and digest together in
a Cmnd_Alias instead.

Cmnd_Alias ORACLE_ROOT_SH = \

You can also use base64 encoding of the digest which is a bit more
compact.  See the sudoers manual for more details (search for digest
and sha2) http://www.sudo.ws/sudo/man/1.8.7/sudoers.man.html

 - todd

More information about the sudo-users mailing list