fine-grained sudoers configuration (allowed commandline arguments)
23,811
Solution 1
For your case try something like this:
Cmnd_Alias PACMAN = /usr/bin/pacman -S -u, ! /usr/bin/pacman -S -u some_package
user ALL=(root) NOPASSWD: PACMAN
You can use shell glob patterns like [a-z],[0-9],* etc. in your sudoers file to exclude packages that match a certain pattern.
Solution 2
Write a script that does what you want and give sudo access to it.
Also make sure that whatever environment this is run in does not have access to the networking at all, or they can just use their own dns to spoof the mirror and then run arbitrary code as root when it gets installed by pacman.
Related videos on Youtube
Author by
nisc
Updated on September 17, 2022Comments
-
nisc over 1 year
is there a straight-forward way to allow a user to run (for example)
/usr/bin/pacman -S -u
as root, without allowing him to run
/usr/bin/pacman -S -u some_package
?
The line
user ALL=(root) NOPASSWD: /usr/bin/pacman -S -u
allows both, and
user ALL=(root) NOPASSWD: /usr/bin/pacman -S -u ""
appears to be semantically equivalent.
-
matthias krull almost 14 yearsthats not an elegant way, sudo supports by default the exact given case
-
Aaron J Lang over 9 yearsNot the best solution, but +1 for security warning