[sudo-users] Pass a command line option to a plugin?
Manner Róbert
rmanni at gmail.com
Thu Feb 4 04:14:57 MST 2021
Hi,
I guess there is no convenient way to achieve this extra argument
parsing yet with python plugins. However, the use case sounds valid to me.
The problem is that sudo needs to give an error if badly called, so we
might need a way to parse and change command line arguments before sudo
validates them (remove the "--ticket" option as sudo does not understand
that).
Something like this might work (I did not try):
sudo -- id # call without ticket id
sudo -- --ticket T1023 id # call with ticket id
(sudo stops parsing at the "--") and then process that option from a
*policy* python plugin and change the actual command run by removing the
"--ticket T1023" part. However this is quite hackish and inconvenient
and I guess you do not want to replace the sudoers policy plugin here
just for this.
I would achieve ticketing instead with an *approval* or *audit*" plugin,
and pass the ticket id as an environment variable (see userenv argument).
Eg.:
TICKET=T1023 sudo id
And optionally if the ticket is not present or invalid, you would reject
the execution.
I did not try though... Keep us updated :)
Br,
Robert
On 2/3/21 4:21 PM, Armin Kunaschik via sudo-users wrote:
> Hi there,
>
> I'm quite excited about the python plugin api. I'd like to add a ticket
> number to an allowed sudo execution. But how can I pass the ticket number
> to the plugin? Best way would be to have a commandline option like --ticket
> which is not parsed by sudo but passed to the plugin. Are there other,
> better ways to achieve that? Any suggestions?
>
> Regards,
> Armin
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list