[sudo-users] Grant permission by "digest" only?

Todd C. Miller Todd.Miller at sudo.ws
Sun Mar 1 15:00:25 MST 2020

On Fri, 28 Feb 2020 20:05:10 +0000, "A. James Lewis" wrote:

> I would like to allow "sudo" to grant access to /any/ binary that 
> matches the specified digest/checksum, or at least a given filename in 
> any path location.... Reading the manual for sudo it appears to suggest 
> that "*" matches 0 or more character, so I would hope I could match /* 
> and specify a digest.
> The problem is that * seems to match any character except "/", so I can 
> only specify "any binary" at a specific depth in the filesystem.  Is 
> there some way to achieve this, or some security reason I shouldn't want 
> to that I might have missed?

There's not currently a way to achieve this.  The '*' wildcard does
not match the path separator, so /* would only match commands in
the root directory.

If you know what directories the command will be located in you can
use, for example, /usr/bin/* or /usr/local/bin/* but there isn't a
way to allow a command to be run purely based on the digest.

 - todd

More information about the sudo-users mailing list