[sudo-workers] expansion in filenames

[David Thomas]

Hi list,

I've a goal in mind, and a proposed extension which will put it within
reach.  I welcome comments if 1) there's already an easy (enough) path
to my goal, 2) it's really not a good idea in the first place, or 3)
someone's already working on a comparable extension. Otherwise, I'll
see about putting together a patch in the next few days.

My goal is to allow a user to grant other users the ability to run
something as them in a controlled way without intervention from the
system administrator. This way, I can grant another user controlled
access to resources I control.  Setuid is a partial solution, but
setuid scripts are generally insecure, perl-setuid is on the way out,
and (most importantly) a setuid application can still return to its
real UID so I must trust the person whose resources I intend to access
not to abuse my permissions.

So, my thought is to apply the escape sequence expansions permissible
in the password prompt to filenames, allowing something like:

ALL  ALL=(ALL) /home/%U/blessed/%u/*

This would allow me to grant, say, steve the ability to run
dosomething.sh as me by putting the script in ~/blessed/steve/,
something which really should be between steve and I and not need the
blessing of the sysadmin in each individual case.

Thoughts?