[sudo-users] Using shell variables in Command Alias Definitions

Ryan Chewning ryan at chewning.us
Tue Nov 17 08:52:03 MST 2015


Thanks for the quick reply Eric. I was hoping to avoid writing a wrapper
script with the security issues that can be introduced.

In the course of my searching I saw mention of possibly adding regex
support to Sudo. Is that something which is still in the works or did that
die because of the complications involved with validating and writing regex?

On Tue, Nov 17, 2015 at 10:11 AM, Ladner, Eric (Eric.Ladner) <
Eric.Ladner at chevron.com> wrote:

> I don't think variables are expanded inside the sudoers file.
>
> Your best option is probably to write a wrapper script.  Inside the
> script, you can use the $SUDO_USER variable that sudo injects into the
> environment to get the calling username.
>
> Something like "php-fpm-manager.sh", put it somewhere handy, make sure
> it's not writable by  non-admins.
>
> --------------------
> #!/bin/bash
> # you might want to do argument checking here..
> arg=$1
>
> # SUDO_USER is set to the calling user's userid.
> /bin/systemctl $arg php5-fpm@${SUDO_USER}.service
> ------------------------
>
> Then your command aliases would look like:
>
> Cmnd_Alias PHPFPMRESTART = /whatever/php-fpm-manager.sh restart
> Cmnd_Alias PHPFPMSTART = /whatever/php-fpm-manager.sh start
> ... etc..
>
> -----Original Message-----
> From: sudo-users [mailto:sudo-users-bounces at sudo.ws] On Behalf Of Ryan
> Chewning
> Sent: Tuesday, November 17, 2015 8:33 AM
> To: sudo-users at sudo.ws
> Subject: [**EXTERNAL**] [sudo-users] Using shell variables in Command
> Alias Definitions
>
> Hi all,
>
> I've spent several hours looking online for a way to use a shell variable
> in a command alias. I'm using Debian 8 which ships with Sudo version
> 1.8.10p3 / Sudoers file grammar version 43.
>
> I'm attempting to do something like this:
>
> User_Alias PHPFPM_USERS = user1, user2, user3
>
> Cmnd_Alias PHPFPMRESTART = /bin/systemctl restart php5-fpm@'$USER'.service
> Cmnd_Alias PHPFPMSTART = /bin/systemctl start php5-fpm@$USER.service
> Cmnd_Alias PHPFPMRELOAD = /bin/systemctl reload php5-fpm@$USER.service
> Cmnd_Alias PHPFPMSTOP = /bin/systemctl stop php5-fpm@$USER.service
> Cmnd_Alias PHPFPMSTATUS = /bin/systemctl status php5-fpm@$USER.service
>
> I was hoping that $USER would be replaced at runtime with the user that's
> executing the command to save the need to tens or hundreds of definitions.
>
>
>
>
>
> Thanks for any help or guidance of a better way to do this!
>
> Cheers,
>
> Ryan
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users
>


More information about the sudo-users mailing list