"noexec" flag
Todd C. Miller
Todd.Miller at courtesan.com
Thu May 27 15:48:36 EDT 2004
In message <F6E6EB8E-B00C-11D8-AA31-000A9579FDFC at mac.com>
so spake Jacob Pszonowsky (jdp16):
> What is it I need to do to enable "noexec" in the beta version?
This is documented in the sudoers man page, though it could probably
do with more examples.
There are two ways:
1) The "noexec" Defaults option can turn off exec on a more or less
global basis. It works just like the other Defaults things in sudoers.
E.g.
Default noexec
Default noexec at Hostname
Default noexec:Username
Default noexec>RunasUser
Note that many programs require that they be able to execute other
programs in order to function.
2) There is a per-entry NOEXEC flag that is syntactically similar
to the NOPASSWD modifier.
E.g.
bob server = NOEXEC: /usr/bin/more, /usr/bin/vi
would allow bob to run more and vi on the machine "server" with
noexec enabled.
- todd
More information about the sudo-workers
mailing list