[sudo-users] Grant permission by "digest" only?
David Ledger
david.ledger at ivdcs.co.uk
Sun Mar 1 15:06:18 MST 2020
On 1 Mar 2020, at 22:00, Todd C. Miller wrote:
> On Fri, 28 Feb 2020 20:05:10 +0000, "A. James Lewis" wrote:
>
>> I would like to allow "sudo" to grant access to /any/ binary that
>> matches the specified digest/checksum, or at least a given filename
>> in
>> any path location.... Reading the manual for sudo it appears to
>> suggest
>> that "*" matches 0 or more character, so I would hope I could match
>> /*
>> and specify a digest.
>>
>> The problem is that * seems to match any character except "/", so I
>> can
>> only specify "any binary" at a specific depth in the filesystem. Is
>> there some way to achieve this, or some security reason I shouldn't
>> want
>> to that I might have missed?
>
> There's not currently a way to achieve this. The '*' wildcard does
> not match the path separator, so /* would only match commands in
> the root directory.
>
> If you know what directories the command will be located in you can
> use, for example, /usr/bin/* or /usr/local/bin/* but there isn't a
> way to allow a command to be run purely based on the digest.
>
> - todd
There’s no reason why you should not create a ~root/sudo-bin or
similar; hard link the binaries you want to allow into there; then
specify all in there as available.
David
More information about the sudo-users
mailing list