[sudo-users] Allowing command through pipe only
Aaron Lewis
the.warl0ck.1989 at gmail.com
Wed Jan 2 10:08:18 EST 2013
Hi Todd,
Seems to have a syntax error with
sh -c "iptables -L | wc -l" in a Cmnd_Alias,
but anyway, I hacked the source code and made a simple netfilter
program to do the counting of rules ..
Script is actually a good idea, I'll do that next time ;-P
Thanks to all of you who replied!
On 09:29 Wed 02 Jan , Todd C. Miller wrote:
> On Wed, 02 Jan 2013 21:56:11 +0800, Aaron Lewis wrote:
>
> > Say I want to grant user only the permission to run (only count how
> > many lines in the output),
> >
> > iptables -L | wc -l
> >
> > But to accomplish that, I will have to grant the permission to run this comma
> > nd:
> >
> > iptables -L
> >
> > That's not secure enough, 'cause user can view the rules now, any thoughts?
>
> Since the pipe is handled by the shell, this is effectively two
> separate commands. You could grant permission to run:
>
> sh -c "iptables -L | wc -l"
>
> but that is rather cumbersome. It is probably simplest to just
> create a count_iptables script and grant access to that.
>
> - todd
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
More information about the sudo-users
mailing list