Recipe 5.9 Prohibiting Command Arguments with sudo

5.9.1 Problem

You want to permit a command to be run via sudo, but only without command-line arguments.

5.9.2 Solution

Follow the program name with the single argument "" in /etc/sudoers:

/etc/sudoers: smith  ALL = (root) /usr/local/bin/mycommand "" smith$ sudo -u root mycommand a b c                         Rejected smith$ sudo -u root mycommand                               Authorized

5.9.3 Discussion

If you specify no arguments to a command in /etc/sudoers, then by default any arguments are permitted.

/etc/sudoers: smith  ALL = (root) /usr/local/bin/mycommand smith$ sudo -u root mycommand a b c                         Authorized

Use "" to prevent any runtime arguments from being authorized.

5.9.4 See Also

sudo(8), sudoers(5).



Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net