[sudo-users] Grant permission by "digest" only?

David Ledger david.ledger at ivdcs.co.uk
Sun Mar 1 15:06:18 MST 2020

On 1 Mar 2020, at 22:00, Todd C. Miller wrote:

> On Fri, 28 Feb 2020 20:05:10 +0000, "A. James Lewis" wrote:
>> I would like to allow "sudo" to grant access to /any/ binary that
>> matches the specified digest/checksum, or at least a given filename 
>> in
>> any path location.... Reading the manual for sudo it appears to 
>> suggest
>> that "*" matches 0 or more character, so I would hope I could match 
>> /*
>> and specify a digest.
>> The problem is that * seems to match any character except "/", so I 
>> can
>> only specify "any binary" at a specific depth in the filesystem.  Is
>> there some way to achieve this, or some security reason I shouldn't 
>> want
>> to that I might have missed?
> There's not currently a way to achieve this.  The '*' wildcard does
> not match the path separator, so /* would only match commands in
> the root directory.
> If you know what directories the command will be located in you can
> use, for example, /usr/bin/* or /usr/local/bin/* but there isn't a
> way to allow a command to be run purely based on the digest.
>  - todd

There’s no reason why you should not create a ~root/sudo-bin or 
similar; hard link the binaries you want to allow into there; then 
specify all in there as available.


More information about the sudo-users mailing list