[sudo-users] Grant permission by "digest" only?

A. James Lewis james at fsck.co.uk
Mon Mar 23 07:32:21 MDT 2020

I have one further question on this topic... would it be possible with
this update to specify command line options, (perhaps filename?)...
while permitting access via digest?  IE, I care that they run an
unmodified tool... and I want to potentially limit command line options,
but not where it's located or what it's called?


On 11/03/2020 19:52, Todd C. Miller wrote:
> On Fri, 28 Feb 2020 20:05:10 +0000, "A. James Lewis" wrote:
>> I would like to allow "sudo" to grant access to /any/ binary that 
>> matches the specified digest/checksum, or at least a given filename in 
>> any path location.... Reading the manual for sudo it appears to suggest 
>> that "*" matches 0 or more character, so I would hope I could match /* 
>> and specify a digest.
> The natural way to do this with sudo would be to use the "ALL"
> reserved alias.  However, there is not currenlty a way to specify
> a digest along with "ALL".
> I just checked in support for this to what will be sudo 1.9.0 so
> it will be possible in the near future.  For example, you can now
> do things like this:
> millert ALL = sha224:15EOGWc0K0YFy3OlUJRARMYxzTUUABkAlmlirA== ALL,\
>               sha224:SfVTgmXpKXtwqF843D/G3/hkAnwg2HP9B/QzXg== ALL
> to allow "millert" to run any command that matches one of two
> SHA-2 digests.
> Sudo 1.9.0 also supports multiple digests per command so this could
> be written as:
> millert ALL = sha224:15EOGWc0K0YFy3OlUJRARMYxzTUUABkAlmlirA==,\
>               sha224:SfVTgmXpKXtwqF843D/G3/hkAnwg2HP9B/QzXg== ALL
>  - todd

A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the sudo-users mailing list