|
Bugzilla – Full Text Bug Listing |
| Summary: | problem with wildcard expansion in command run under Runas_Alias | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Debbie Schuman <dpschuman> |
| Component: | Sudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED INVALID | ||
| Severity: | high | ||
| Priority: | normal | ||
| Version: | 1.6.7 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
Just wondering if anyone has run into this problem before (or whether its something that I'm doing wrong in setting up the SUDO rule. Thanks - Debbie Schuman The problem is that your shell is trying to expand /var/appdir/logs/*.log before sudo is executabled, which it cannot do because of the directory permissions. The wildcard matching in sudo matches entries in the sudoers file against what was specified on the command line, not files in the filesystem, so quoting the wildcarded path won't help either. There really isn't a good way to do what you want without the added grep step. Thanks Todd. I gave the users a couple of work arounds, but needed something definite to tell them why the wildcard expansion didn't work as they thought it should. |
I may be missing something, but there seems to be a problem when using a Runas_Alias to execute a command with wildcards in an argument. The example I ran across is with the ls and grep commands. Here's the scenario... 1. Runas_Alias = MYALIAS = appid Cmnd_Alias = LS_CMD = /bin/ls * User_Alias = MYUSER MYUSER ALL= (MYALIAS) LS_CMD 2. The directory that I am trying to run against has permissions 750 and is owned by appid:appgrp /var/appdir/logs 3. sudo -u appid /bin/ls -l /var/appdir/logs/*.log gets error: ls: /var/appdir/logs/*.log: No such file or directory 4. sudo -u appid /bin/ls -l /var/appdir/logs works ok - get directory listing of all files in directory as expected. 5. sudo -u appid /bin/ls -l /var/appdir/logs/log1.log works ok - can specify a file name that exists and get a listing as expected. Only seems to have trouble when it has to expand a wildcard in a directory that doesn't have read access for the login user. I can get around the problem by putting the ls/grep commands in a script owned by the appid:appgrp, then put in a rule to run the script. That works ok. It just seems like if the Runas_Alias target user has permission on the directory, the the wildcard functionality should be valid. Any advice would be greatly appreciated...