[sudo-users] Punching in a secure_path w/o Touching Global secure_path
Todd C. Miller
Todd.Miller at sudo.ws
Wed Mar 14 06:25:52 MDT 2018
On Tue, 13 Mar 2018 20:39:06 -0000, "Jepeway, Chris" wrote:
> What I'd like to do is something like this, for various commands
> that get installed outside the normal places, in /opt, say:
>
> Cmnd_Alias WHACK=/opt/whack/bin
> Defaults!WHACK secure_path=/bin:/usr/bin:/opt/whack/bin
This is a chicken vs. egg kind of situation. The per-command
Defaults are evaluated _after_ the command's full path has been
resolved. Sudo won't find /opt/whack/bin without the secure_path
setting but the Defaults line that sets it won't be evaluated until
after the command is found.
I think what you really need is the ability to append to secure_path
from an include file. That way your per-package sudoers.d files
could add what is needed. Unfortunately, that's not currently
possible.
- todd
More information about the sudo-users
mailing list