[sudo-users] Grant permission by "digest" only?
Todd C. Miller
Todd.Miller at sudo.ws
Sun Mar 1 15:00:25 MST 2020
On Fri, 28 Feb 2020 20:05:10 +0000, "A. James Lewis" wrote:
> I would like to allow "sudo" to grant access to /any/ binary that
> matches the specified digest/checksum, or at least a given filename in
> any path location.... Reading the manual for sudo it appears to suggest
> that "*" matches 0 or more character, so I would hope I could match /*
> and specify a digest.
> The problem is that * seems to match any character except "/", so I can
> only specify "any binary" at a specific depth in the filesystem. Is
> there some way to achieve this, or some security reason I shouldn't want
> to that I might have missed?
There's not currently a way to achieve this. The '*' wildcard does
not match the path separator, so /* would only match commands in
the root directory.
If you know what directories the command will be located in you can
use, for example, /usr/bin/* or /usr/local/bin/* but there isn't a
way to allow a command to be run purely based on the digest.
More information about the sudo-users