Wildcards in sudoers

 
SOLVED
Go to solution
Ralph Grothe
Honored Contributor

Wildcards in sudoers

Hi,

I want to allow the informix user to issue the VxVM command "vxdisk list" in CGI context.
I know that I could rather choose the vxprint command which is executable by any user and has a among dozens of standard outputs freely formatable ones by the -F option.
However the reason I want to use the vxdisk command instead is that it has the nice feature of even displaying VxVM aware disks whose disk groups are currently not imported to the node (n.b. as you can guess this is because of usage in a VCS cluster context) by squeezing in the "-o alldgs" option.
To query each disks specs as well I wanted to use one single wildcard expression for designation of optional switches.
According to "man sudoers" this should be matched by "*" which means zero or any number of occurances.
However with this command alias

Cmnd_Alias VXVM = /usr/sbin/vxdisk * list

I can do this as informix

$ sudo /usr/sbin/vxdisk -o alldgs list|head -3
DEVICE TYPE DISK GROUP STATUS
c0t0d0s2 sliced rootdsk0 rootdg online
c0t1d0s2 sliced rootdsk1 rootdg online


Whereas this fails

$ sudo /usr/sbin/vxdisk list

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

#1) Respect the privacy of others.
#2) Think before you type.

Password:


OK, I could as well put every command verbatim in sudoers (which would have been the quicker solution), but I'm curious why my use of sudo wildcards isn't working.

Madness, thy name is system administration
5 REPLIES 5
Massimo Bianchi
Honored Contributor

Re: Wildcards in sudoers

Hi,
just a curiosity: try to issue a
sudo -l

as the informix user.

HTH,
Massimo
Jeff_Traigle
Honored Contributor
Solution

Re: Wildcards in sudoers

Interesting. If you remove the space between * and list, it appears to work. (I tried the format with the ls command on a system I have.)

Cmnd_Alias VXVM = /usr/sbin/vxdisk *list

instead of

Cmnd_Alias VXVM = /usr/sbin/vxdisk * list
--
Jeff Traigle
Jeff_Traigle
Honored Contributor

Re: Wildcards in sudoers

Wasn't too clear why this was until I thought about it a few more minutes.

sudo is very literal and sequential in the way it interprets the Cmnd_Alias value. Here's how the vxdisk command lines up without any options supplied:

Cmnd_Alias def: /usr/sbin/vxdisk * list
sudo interpret: /usr/sbin/vxdisk list

Instead of * expanding to a null string, it's expanded/matched to "list". However, this means there is no option available to match with the list option sudo expects at the end of the vxdisk command to allow the user to run it.
--
Jeff Traigle
Victor BERRIDGE
Honored Contributor

Re: Wildcards in sudoers

Hi Ralph,
To continue on Jeff's remark I would add but cannot test at the moment :
Cmnd_Alias VXVM = /usr/sbin/vxdis* list
shoul work also...
I remember 2 years ago going through something of the sort and found out the syntax you give is interpreted in "strict" form, so with
Cmnd_Alias VXVM = /usr/sbin/vxdisk * list
$ sudo /usr/sbin/vxdisk list
should work (2 spaces)
All this to say when I was asked to tighten the syntaxes of some commands but coulnd guess how many args and spaces (and so woulnd work..) I gave up and put su - -c /.../**

All the best
Victor
Ralph Grothe
Honored Contributor

Re: Wildcards in sudoers

Hello Massimo, Jeff, Victor,

sorry for my belated feedback, but as usual something unexpected needed my attention yesterday.

Jeff, you were dead right.
sudo indeed is very picky, as compared to shell type globbing or command line interpreting of wildcards.
I was lured into shell syntax because sudoers manpage stresses this comparison.
Finally this wildcarding worked for me:

$ id && sudo -l|tail -1
uid=204(informix) gid=200(informix)
(root) NOPASSWD: /usr/sbin/vxdisk *list*
Madness, thy name is system administration