How do I use command arguments with Cmnd_Alias in sudoers?

by

How do I specify command arguments in sudoers? As a background, aws command is actually a gateway to a whole bunch of sub-systems and I want to restrict the user to only run aws s3 cp ...any other args...

When I try the following in /etc/sudoers

Cmnd_Alias AWSS3_CMD = /usr/local/bin/aws s3 cp, /usr/local/aws/bin/aws s3 cp
gbt1 ALL=(gbt-ops) NOPASSWD: AWSS3_CMD

The shell unfortunately prompts for password

$ sudo -u gbt-ops aws s3 cp helloworld s3://my-bucket/hw.1
gbt-ops's password:

If I remove the command args in Cmnd_Alias, then it flows as desired (without password prompt), but the authorization are way too broad. So, what is the right way of restricting to only certain types of command invocations. 

Cmnd_Alias AWSS3_CMD = /usr/local/bin/aws, /usr/local/aws/bin/aws

Then

$ sudo -u gbt-ops aws s3 cp helloworld s3://my-bucket/hw.1
...happy

Thanks a lot.

Contents hide
Answers:
Method 1
Method 2

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

You haven’t used any wildcards, but have provided two arguments. Therefore sudo looks for commands exactly as written (excepting path-lookup) (from man 5 sudoers): 

 If a Cmnd has associated command line arguments, then the arguments in
 the Cmnd must match exactly those given by the user on the command line
 (or match the wildcards if there are any).

Try something like:

Cmnd_Alias AWSS3_CMD = /usr/local/bin/aws s3 cp *, /usr/local/aws/bin/aws s3 cp *

Note that:

 Wildcards in command line arguments should be used with care.  Because
 command line arguments are matched as a single, concatenated string, a
 wildcard such as ‘?’ or ‘*’ can match multiple words.

So, only one wildcard is needed per command.

Method 2

The same as @muru, but for those who like full working example:

# Cmnd alias specification
Cmnd_Alias ECHO_CMD=/bin/echo A *,/bin/echo B *

# Make USER run specific commands on given HOSTNAME
# USER_NAME 

#userx
userx ALL=(root) NOPASSWD: /sbin/cmd1,/sbin/cmd2,ECHO_CMD

While /sbin/cmd1,/sbin/cmd2 can be any other commands.

The purpose of ECHO_CMD is to present that sudo echo X A will ask for passphrase, while sudo echo A X not, and to allow you to gain confidence through such simple experiment.

(It was assumed that echo sits in /bin/echo, to check where it is on your system try whereis echo)


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x