[sudo-users] Allowing command through pipe only

Todd C. Miller Todd.Miller at courtesan.com
Wed Jan 2 09:29:29 EST 2013

On Wed, 02 Jan 2013 21:56:11 +0800, Aaron Lewis wrote:

> Say I want to grant user only the permission to run (only count how
> many lines in the output),
> iptables -L | wc -l
> But to accomplish that, I will have to grant the permission to run this comma
> nd:
> iptables -L
> That's not secure enough, 'cause user can view the rules now, any thoughts?

Since the pipe is handled by the shell, this is effectively two
separate commands.  You could grant permission to run:

    sh -c "iptables -L | wc -l"

but that is rather cumbersome.  It is probably simplest to just
create a count_iptables script and grant access to that.

 - todd

More information about the sudo-users mailing list