[sudo-users] (Hopefully) quick policy question
Mihai Moldovan
ionic at ionic.de
Tue Sep 26 16:29:57 MDT 2023
* On 9/26/23 20:18, Jore wrote:
> So I added this line to sudoers (and note the use of unwanted * glob
> again?? Is this still unsafe/can something better be here?):
The glob itself is not "unsafe". It just allows any and all user input. There's
nothing particularly bad about it. You're sanitizing it later on anyway.
> test ALL = NOPASSWD: /usr/bin/bash /home/test/acme-wrapper.sh *
>
>
> Regardless, when test user runs:
>
> $ bash /home/test/acme-wrapper.sh foobar123.example.com
> /usr/bin/bash: /root/.acme.sh/acme.sh: Permission denied
>
Because you probably meant to execute sudo bash /home/test/acme-wrapper.sh
foobar123.example.com? :)
> Also, this approach seems needlessly complicated?
It's more flexible and more complicated.
With sudo 1.9.10, support for regular expressions in sudoers rules has been
added[0]. Previous versions do not support this. This feature is what you would
like to have, but given that it's not supported in your version, you will have
to do with something else.
> To my noob mind, it'd be much better to build some rule in to the
> sudoers file directly, no? If possible...
Again, it highly depends on what people want to achieve. If the only thing
dynamic/user input is a domain name and you have a regular expression only
allowing the input you want to accept, that certainly is a convenient way to go.
For more complicated cases, this quickly gets unwieldy (regular expressions are
pretty limited in what they can do too.)
Mihai
[0] https://www.sudo.ws/releases/stable/#1.9.10
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://www.sudo.ws/pipermail/sudo-users/attachments/20230927/99db4b47/attachment.bin>
More information about the sudo-users
mailing list