0

There is a command (say: mycommand) that we want to add to sudo for all users, but there is one specific command line option -i that we want to exclude. Complicating factor is that command line arguments can be combined, making it harder to build a regex or something. So we want to allow:

  • sudo mycommand
  • sudo mycommand -p -f something -w
  • sudo mycommand -pf something -w

but not:

  • sudo mycommand -i
  • sudo mycommand -p -i -f something -w
  • sudo mycommand -pif something -w

So far I have had mixed results, like incorrectly allowing "sudo mycommand -piw" or incorrectly blocking "sudo mycommand -pf something -w"

Any suggestions, other than writing a wrapper script?

Kees C
  • 1

1 Answers1

1

It is possible to exclude command line options using patterns in the sudoers file. However, this can be error prone so a wrapper script is often a better approach.

If you are using sudo 1.9.10 or higher, you can use regular expressions in the sudoers file, which allows you to do things like:

someuser ALL = /usr/bin/swlist, !/usr/bin/swlist ^.*-i.*$

which would reject any command line arguments that include '-i'. However, if the command supports compound options this won't catch things like:

$ sudo swlist -pi -f something -w

In that (likely) case, you'll need something like:

someuser ALL = /usr/bin/swlist, !/usr/bin/swlist ^.*-[^[:space:]]*i.*$

Older versions of sudo only support shell-style globing patterns which are more limited and don't support what you want to do.

Todd C Miller
  • 11
  • 1
  • That answer looks promising, but unfortunately I'm stuck with sudo 1.8.6, without possibility of upgrading due to "corporate rules". Big thanks anyway. – Kees C Aug 01 '22 at 07:16