[sudo-users] Grant permission by "digest" only?
A. James Lewis
james at fsck.co.uk
Mon Mar 23 07:32:21 MDT 2020
I have one further question on this topic... would it be possible with
this update to specify command line options, (perhaps filename?)...
while permitting access via digest? IE, I care that they run an
unmodified tool... and I want to potentially limit command line options,
but not where it's located or what it's called?
James
On 11/03/2020 19:52, Todd C. Miller wrote:
> On Fri, 28 Feb 2020 20:05:10 +0000, "A. James Lewis" wrote:
>
>> I would like to allow "sudo" to grant access to /any/ binary that
>> matches the specified digest/checksum, or at least a given filename in
>> any path location.... Reading the manual for sudo it appears to suggest
>> that "*" matches 0 or more character, so I would hope I could match /*
>> and specify a digest.
> The natural way to do this with sudo would be to use the "ALL"
> reserved alias. However, there is not currenlty a way to specify
> a digest along with "ALL".
>
> I just checked in support for this to what will be sudo 1.9.0 so
> it will be possible in the near future. For example, you can now
> do things like this:
>
> millert ALL = sha224:15EOGWc0K0YFy3OlUJRARMYxzTUUABkAlmlirA== ALL,\
> sha224:SfVTgmXpKXtwqF843D/G3/hkAnwg2HP9B/QzXg== ALL
>
> to allow "millert" to run any command that matches one of two
> SHA-2 digests.
>
> Sudo 1.9.0 also supports multiple digests per command so this could
> be written as:
>
> millert ALL = sha224:15EOGWc0K0YFy3OlUJRARMYxzTUUABkAlmlirA==,\
> sha224:SfVTgmXpKXtwqF843D/G3/hkAnwg2HP9B/QzXg== ALL
>
> - todd
--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
More information about the sudo-users
mailing list