What does the first star (*) mean in visudo command restriction

Question

Restriction example in visudo :

(ALL) NOPASSWD: (ALL) /bin/cp * /var/www/html/*

I understand most of it, its just the first star driving me nuts. My best guess is , its either for command options or source path.

Thanks!

score 0 · Accepted Answer · answered Aug 14 '17 at 15:09

0

It is for both options and the source argument. Any command line that starts with /bin/cp and includes /var/www/html would match.

However this rule might not be what's intended. It is rather dangerous. You can misuse this rule to bypass the destination restriction.

answered Aug 14 '17 at 15:09

Dima Chubarov

Thanks Dmitri, that's why I could not understand it. Any idea how do I separate options and source? Will double star do it (/bin/cp * * ...)? – Adrian Aug 15 '17 at 06:22
@Adrian One way to restrict copying to a specific destination directory would be to make a script that does just that and validates the input on the way. Doing this with just the sudoers wildcard patterns is fragile and prone to abuse. – Dima Chubarov Aug 15 '17 at 06:36

1 Answers1