Hi all,

Cmnd_Alias AVAMAR_APPS=/bin/vi /usr/local/avamar/*

user ALL = (ROOT) NOPASSWD: AVAMAR_APPS

For the above sudo access to view all the files within /usr/local/avamar/ and its subdirectories are not working properly.
its working only when i give with full pathname from the home directory.

for every time i have to give the full pathname from home directory to view files,as below

user@server1 ~]$ sudo vi /usr/local/avamar/bin

please suggest how to view the files via vi within all the sub directories under /usr/local/avamar itself using sudo.

As far as I know, you have to specify the full path to each executable/action you wish your sudoers user/group to use.

It would be a large security risk to allow every executable in a directory, for example, all of /bin. Especially if you set sudoers to require no password.

Hi mralk3,

Thanks for your reply, I do understand the security concern, but our user presisting to find a way to run sudo from the subdirectories,
Is there any way to accomplish that without compromising security.

Well, if somehow a piece of malware was copied/installed on your system in the sub directory you pick, anyone on the system could run it without a password. You are essentially removing user/group permissions from your system for every file/binary installed to that directory.

I don't see why you cannot just enter the full path for each application you wish to run into the sudoers file. That is how sudo was intended to be used. If it's a production environment, I personally wouldn't be allowing every user on the system passwordless access to any file/binary in a directory. It is essentially giving root access to every user on the system to all files in that directory.

To hack your system all an attacker would need to do is replace/add malware to that directory and run....

...your system is now compromised with a backdoor, rootkit, take-your-pick malware.

EDIT
The only thing preventing such a compromise would be if the directory had the right file permissions to prevent unprivileged users from writing files to that directory. Still though, nothing is preventing unprivileged users from causing damage to the system with the already installed binaries because they have full access to the system.

No clearly you do not.

No.

So harsh, haha. I had a similar response in mind but decided it would be more constructive for everyone to explain the security implications. I try my best not to flame people for threads like this...

@mralk3

dont get me in the wrong way, I didn't mean to be harsh to you. user is requesting why he need run with whole pathname, when he is already into the particular subdirectory. I even tried for sudo access for every subdirectory inside /usr/local/avamar, but still its working only with the full pathname. Is there any way to overcome this by sudo itself instead of changing permissions for the directories?

You misunderstand. No reason to change the permissions for the directory. With sudo there is no way to add a full directory to the sudoers file.

You have to add the full path to each binary you wish your sudoers users to run without a password.

It is also not a good idea to do this on a production machine.

Is there anyway can i achieve it by using alias

If what you mean are aliases using sudo, then yes. You can create a list of commands (using the full paths) and link it to an alias. Then refer to this alias for each user or user group that can run those commands.

You will not however be able to avoid adding the full paths of each command in the alias.

All of this is clearly stated in the sudo documentation. Here is a link that explains quite a bit about how sudo works:

https://help.ubuntu.com/community/Sudoers