How to add flags and/or arguments to a command in the 'sudoers' file
As stated in the comments, there isn't a way to control sudoers in the way requested, although there are fine grained permissions available in the system:
https://help.ubuntu.com/community/FilePermissionsACLs
But even that isn't quite enough, you'd basically have to replace all the standard program libraries with scripts to filter flags. Which would be messy and potentially break the system.
Instead consider flipping the problem and creating users who don't need sudoers. Making sure they're in the right groups and using ACLs to expand permissions where needed so they can access the files they need without causing issues.
Related videos on Youtube
Alex Lowe
Updated on September 18, 2022Comments
-
Alex Lowe over 1 year
How would I add flags and/or arguments to allow users in the sudoers file to run certain parts of commands, such as only allowing a user to run
sudo rm
and notsudo rm -rf
? I am using 14.04.# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset,pwfeedback Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL Ruby ALL=/usr/bin/apt-get update,/usr/bin/rm,/usr/bin/rmdir,/usr/bin/mkdir # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
-
Panther almost 9 yearsI do not think you can have that fine grain of control over the commands directly. You can make a script, owned by root, in /usr/local/bin and give sudo to that. your_command -your_options @ , just test the input.
-
muru almost 9 yearsSay you block
rm -rf
. What's to preventrm -f / -r
? -
Rinzwind almost 9 yearsPlease explain the problem you have and not the solution you believe you need to apply. What you want here is not possible and the reason for it is because this method would be full of holes (as @muru already posted).
-
Alex Lowe almost 9 yearsI do not have a problem I am just very curious.
-
Tim almost 9 yearsGood answer :P @Rinz see response`
-
Rinzwind almost 9 years@alex ah good to know. What works is a "whitelist" -but- the fact you let that person use
sudo
is the problem: for instance acp
can be an used as an equivalent torm
making yourrm
fix in the sudoers file useless. If this would have been related to for instance updating /var/www/ for apache there are better methods (that is one example people need access outside their home). -
j0h over 8 yearsI think there are ways to exert the control you desire, but even if you control the rm command, what would stop someone from running mv / /dev/null anyhow, it would appear you want a pseudo sudoer. perhaps someone who can modify system files, or access certain hardware, but not someone who can destroy the system easily. Perhaps it would be easier to control which shell a user logs into. There prolly like a million answers to this question.
-