fine-grained sudoers configuration (allowed commandline arguments)
23,811
Solution 1
For your case try something like this:
Cmnd_Alias PACMAN = /usr/bin/pacman -S -u, ! /usr/bin/pacman -S -u some_package
user ALL=(root) NOPASSWD: PACMAN
You can use shell glob patterns like [a-z],[0-9],* etc. in your sudoers file to exclude packages that match a certain pattern.
Solution 2
Write a script that does what you want and give sudo access to it.
Also make sure that whatever environment this is run in does not have access to the networking at all, or they can just use their own dns to spoof the mirror and then run arbitrary code as root when it gets installed by pacman.
Related videos on Youtube
20 : 15
Basic Linux Permissions part 6: sudo and sudoers
19 : 10
Linux Security - Configuring SUDO Access
12 : 11
How to Configure Fine Grained Password Policies on Windows Server 2019
11 : 22
Sysmon, Winlogbeat, and Security Onion!
02 : 06
fine-grained sudoers configuration (allowed commandline arguments) (2 Solutions!!)
Author by
nisc
Updated on September 17, 2022Comments
-
nisc over 1 year
is there a straight-forward way to allow a user to run (for example)
/usr/bin/pacman -S -uas root, without allowing him to run
/usr/bin/pacman -S -u some_package?
The line
user ALL=(root) NOPASSWD: /usr/bin/pacman -S -uallows both, and
user ALL=(root) NOPASSWD: /usr/bin/pacman -S -u ""appears to be semantically equivalent.
-
matthias krull almost 14 yearsthats not an elegant way, sudo supports by default the exact given case
-
Aaron J Lang over 9 yearsNot the best solution, but +1 for security warning
