Wednesday, 3 July 2013

How to Prohibiting Command-line arguments with sudo

Problem: ou want to permit a command to be run via sudo, but only without command-line arguments.

Solution: Follow the pgm name with the single argument :: in /etc/sudoers:

/etc/sudoers:
smith ALL = (root) /usr/local/bin/mycommand ""

smith$ sudo -u root mycommand a b c  ----   Rejected
smith$ sudo -u root mycommand    ----     Authorized

NOTE:
if you specify no arguments to a command in /etc/sudoers, then by default any arguments are permitted.

/etc/sudoers:
smith ALL = (root) /usr/local/bin/mycommand

smith$ sudo -u root mycommand a b c  ----- Authorized
Use "" to prevent any runtime arguments from being authorized.


 

No comments:

Post a Comment