[sudo-users] Punching in a secure_path w/o Touching Global secure_path

Jepeway, Chris Chris.Jepeway at JTV.com
Tue Mar 13 14:39:06 MDT 2018

I'm using a config management tool to set up sudoers.  That's mostly a detail,
but it kinda explains a set of constraints I'll get to.

What I'd like to do is something like this, for various commands
that get installed outside the normal places, in /opt, say:

	Cmnd_Alias      WHACK=/opt/whack/bin
	Defaults!WHACK  secure_path=/bin:/usr/bin:/opt/whack/bin

This, so when I type

        $ sudo whack status

I'll run the /opt/whack/bin/whack binary with an argument of
"status," and sudo won't complain

	sudo: whack: command not found

because of a global secure_path setting that didn't know to include /opt/whack/bin.

This approach doesn't work.  Am I missing how to use Defaults! or otherwise goofing up?

I can get close if the command needs to run as a user that's not root,
by using

	Runas_Alias      WHACKU = whack
	Defaults>WHACKU  secure_path=/bin:/usr/bin:/opt/whack/bin

but I run into trouble with that technique if the binaries for
the whack package need to run as root, since that'll override
any prior secure_path setting.

As for those constraints...I could just set the global secure_path
to include /opt/whack/bin, but that gets tricky.  I'm trying
to have a general sudoers file that gets provisioned, and then
put the per-package overrides for who needs to run what into
/etc/sudoers.d.  I'd like to keep the concerns of "this box
needs sudo" separate from "this box runs this package, and
admins will want to run its commands as root," while not
forcing something like

	$ sudo /opt/whack/bin/whack status

on our admins.

Thoughts?  Help?


(Howdy, Todd.  Longtime...)

More information about the sudo-users mailing list