Help Writing Sudoers Command Alias Complex Command
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Help Writing Sudoers Command Alias Complex Command
Hello All,
I have been trying to figure out how to get a complex command to work in the sudoers file over the past couple days using visudo but have failed and I do not know what else to try.
And a couple others but I figure if I can get at least one to work the others will not be so hard.
I have a test user created and can get some other commands to work with sudo such as:
Code:
testuser ALL = (root) NOPASSWD: /usr/bin/cat /sys/kernel/debug/x86/pti_enabled, /usr/sbin/dmidecode
However, for the more complex commands I need to get to work it does not. I have tried using things like wild cards (*), played around with using quotes (" commandline args ..."), and etc but looking in the log files it looks like it is only seeing just the initial command before the pipe and nothing else:
it looks like it is only seeing just the initial command before the pipe and nothing else:
As far as I know sudoers does NOT use a shell, unless you specify a shell script (with a starting shebang en.wikipedia.org/wiki/Shebang_%28Unix%29 to specify the shell) to execute, so shell constructs like pipelines, redirection, command concatenation and/or wildcards are not available TO it. It rather specifically looks at the command you have given in the suduers file itself.
Thanks for the great comments as now it does make sense to me what the problem is and I feel like there is not solution by just editing the sudoers file. However, I am not sure I like the idea of creating a dedicated shell script either. I have been trying to create a command alias in the test users .bashrc file as some kind of middle ground but so far it has not yet been working. Does everyone think this should work at least?
As ehartman stated above sudoers doesn't use a shell. Thus, it knows nothing about shell aliases. Moreover, sudo is very restrictive about command environment and by default inherits only a few environment variables from the user.
You may use shell-style wildcards when specifying commands in sudoers though, but be aware of some quirks. From sudoers(5) manpage:
Quote:
Note that the following characters must be escaped with a ‘\’ if they are used in command arguments: ‘,’, ‘:’, ‘=’, ‘\’.
Quote:
Character classes may be used if your system's glob(3) and fnmatch(3) functions support them. However, because the ‘:’ character has special meaning in sudoers, it must be escaped. For example:
Code:
/bin/ls [[\:alpha\:]]*
Would match any file name beginning with a letter.
Note that a forward slash (‘/’) will not be matched by wildcards used in the file name portion of the command. This is to make a path like:
Code:
/usr/bin/*
match /usr/bin/who but not /usr/bin/X11/xterm.
When matching the command line arguments, however, a slash does get matched by wildcards since command line arguments may contain arbitrary strings and not just path names.
Wildcards in command line arguments should be used with care.
Command line arguments are matched as a single, concatenated string. This mean a wildcard character such as ‘?’ or ‘*’ will match across word boundaries, which may be unexpected. For example, while a sudoers entry like:
Code:
%operator ALL = /bin/cat /var/log/messages*
will allow command like:
Code:
$ sudo cat /var/log/messages.1
It will also allow:
Code:
$ sudo cat /var/log/messages /etc/shadow
which is probably not what was intended. In most cases it is better to do command line processing outside of the sudoers file in a scripting language.
As you can see, even if wildcards are allowed in command arguments in sudoers, using them there is not the best idea.
But putting all that aside, just imagine security implications of shell aliases being allowed in sudoers. They are controlled by user and could be changed on whim. How about alias lsmod='rm -rf /'?
I wouldn't recommend you anything in ~user/.bashrc because the user (owner) can modify it. Also alias is not a good idea, because it is not handled very well among different shells (for example when sudo was executed).
Thanks for the great comments as now it does make sense to me what the problem is and I feel like there is not solution by just editing the sudoers file. However, I am not sure I like the idea of creating a dedicated shell script either. I have been trying to create a command alias in the test users .bashrc file as some kind of middle ground but so far it has not yet been working. Does everyone think this should work at least?
I'd reiterate what has been written already: writing a short script is the way to accomplish your task and, specifically, that script must be not be writable in any way, directly or indirectly, by any other account than root. So keeping it in /usr/local/bin/ or /usr/local/sbin/ would be one good choice, since that's where scripts generally go anyway: A place for everything and everything in its place, see "man hier".
Scripting is a useful and important part of using the computer. It might seem challenging at first but it's not hard once you get familiar with the process.
MadeInGermany has a good idea. However, I tried that and it does not work. I believe the pipe (I) and And (&&) breaks this functionality. Basically from my understanding you can only alias a single command from the sudoers file. This means that no other shell functionality will work and so breaking up the original command will not work.
Honestly, in my case another application is running the:
which means that application has to run that command exactly and cannot run a separate script unless that script is aliased as was my last idea I tried.
So, at this time my feeling is what I am trying to do cannot be done as the more I think about it creating a script and aliasing from a users profile does not seem like a valid solution either. If someone else has any other ideas please let me know. Either way thanks again for everyone's time as I definitely have learned from this.
cannot run a separate script unless that script is aliased as was my last idea I tried.
Aliasing is a shell function too (and is rather "which shell" dependant). So you cannot use any aliases in a sudoers file.
And - for instance - sourcing an executable through the PATH is a shell task too, the sudoers file need absolute paths to the commands to be executed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.