Specify command with quoted arguments in sudoers?
edit: Warning, it appears that sudo does not safely handle spaces in the command, so it is not safe to use sudo in this way. https://unix.stackexchange.com/a/279142/39281
Instead of using quotes in the sudoers file, you can escape spaces using backslash:
%sudo ALL=(ALL) NOPASSWD: /bin/sh -c echo\ XHCI\ >\ /proc/acpi/wakeup
You can still use it as follows, because the user's shell handles the quoted argument anyway:
sudo /bin/sh -c 'echo XHCI > /proc/acpi/wakeup'
You could also consider putting a complex command into a script, as suggested in a comment. https://serverfault.com/a/516002
Related videos on Youtube
20 : 15
03 : 27
09 : 00
08 : 44
02 : 31
Ryan Lue
Updated on September 18, 2022Comments
-
Ryan Lue almost 2 years
The General Case
I'm trying to enable a user to run a sudo command (with arguments) without a password. I can get the
NOPASSWDdirective to work, but only when the arguments don't contain quotation marks.For example, this works:
# /etc/sudoers.d/sample %sudo ALL=(ALL) NOPASSWD: /bin/echo foo $ sudo echo foo fooBut this doesn't, because quotation marks are interpreted literally:
# /etc/sudoers.d/sample %sudo ALL=(ALL) NOPASSWD: /bin/echo "foo" $ sudo echo "foo" [sudo] password for rlue: $ sudo echo \"foo\" "foo"
My Specific Case
This is the command I'm trying to allow:
$ sudo sh -c 'echo XHCI > /proc/acpi/wakeup'I actually got it to work with the following unquoted command:
%sudo ALL=(ALL) NOPASSWD: /bin/sh -c echo XHCI > /proc/acpi/wakeupBut since it calls out to
sh -c, and since I clearly don't understand precisely what's going on, I'd like to be extra explicit about what I'm allowing.How can I specify quoting for command arguments in the sudoers file?
-
Ryan Lue about 6 yearsSure, but for example,
mv this that the otheris different frommv this that 'the other', and the unquoted syntax permits both. How can I be sure I haven't missed any edge cases?
-
-
Ryan Lue about 6 yearsThis appears semantically identical to not having backslashes (that is, the arguments can still be grouped with quotation marks in every possible arrangement).
-
Sam Watkins about 6 yearsSomeone commented: there's an other QA telling this is possibly unsafe: unix.stackexchange.com/questions/279125/… then removed their comment. But they were right, it is unsafe, seems like sudo is not safe to be used when there are spaces in the command name. Perhaps I am misusing it, or perhaps it is a rubbish insecure tool. If it is so easy to misuse, I suggest the latter.
