[sudo-users] Grant permission by "digest" only?
Daniele Palumbo
daniele at retaggio.net
Wed May 5 10:00:28 MDT 2021
Il giorno 11 mar 2020, alle ore 20:52, Todd C. Miller <Todd.Miller at sudo.ws> ha scritto:
> I just checked in support for this to what will be sudo 1.9.0 so
> it will be possible in the near future. For example, you can now
> do things like this:
A useful side effect would be to be able to execute only the binaries that are compliant with a package manager.
more generically, a "run this command in advance in order to trust the binary" could be useful.
In this way, also "badly written rules" could be more safe.
eg:
* if the file belong to a package manager, allow only if the hash match the package manager;
* if the file belong to a package manager, allow only if the file permissions match;
this could be "exit 0 based" on a custom script or whatever, to support multiple package manager in the same OS.
It should work like other option (NOPASSWD, to mention one) to be effective.
Just an idea to improve the security :)
HTH,
Daniele
More information about the sudo-users
mailing list