Problem: Authorize a user to run all programs in a given directory, but only those programs, as another user.
Solution: Specify a fully-qualified directory name instead of a command, ending it with a slash
/etc/sudoers:
smith ALL = (root) /usr/local/bin/
smith$ sudo -u root /usr/local/bin/mycommand Authorized
smith$ sudo -u root /usr/bin/emacs Rejected
This authorization does not descend into subdirectories
smith$ sudo -u root /usr/local/bin/gnu/emacs Rejected
Solution: Specify a fully-qualified directory name instead of a command, ending it with a slash
/etc/sudoers:
smith ALL = (root) /usr/local/bin/
smith$ sudo -u root /usr/local/bin/mycommand Authorized
smith$ sudo -u root /usr/bin/emacs Rejected
This authorization does not descend into subdirectories
smith$ sudo -u root /usr/local/bin/gnu/emacs Rejected
No comments:
Post a Comment