[sudo-users] Grant permission by "digest" only?

Todd C. Miller Todd.Miller at sudo.ws
Wed Mar 11 13:52:31 MDT 2020


On Fri, 28 Feb 2020 20:05:10 +0000, "A. James Lewis" wrote:

> I would like to allow "sudo" to grant access to /any/ binary that 
> matches the specified digest/checksum, or at least a given filename in 
> any path location.... Reading the manual for sudo it appears to suggest 
> that "*" matches 0 or more character, so I would hope I could match /* 
> and specify a digest.

The natural way to do this with sudo would be to use the "ALL"
reserved alias.  However, there is not currenlty a way to specify
a digest along with "ALL".

I just checked in support for this to what will be sudo 1.9.0 so
it will be possible in the near future.  For example, you can now
do things like this:

millert ALL = sha224:15EOGWc0K0YFy3OlUJRARMYxzTUUABkAlmlirA== ALL,\
              sha224:SfVTgmXpKXtwqF843D/G3/hkAnwg2HP9B/QzXg== ALL

to allow "millert" to run any command that matches one of two
SHA-2 digests.

Sudo 1.9.0 also supports multiple digests per command so this could
be written as:

millert ALL = sha224:15EOGWc0K0YFy3OlUJRARMYxzTUUABkAlmlirA==,\
              sha224:SfVTgmXpKXtwqF843D/G3/hkAnwg2HP9B/QzXg== ALL

 - todd


More information about the sudo-users mailing list