Multiple argument wildcard matches for sudoers file?
I'm trying to figure out how to create an entry in the sudoer where I allow a limited set of arguments some optional but have the command still very restrictive.
Is there any easy way to limit these restrictions?
I'd like the user to be able to run with the -w flag and optional value but still be restrictive. I don't want to hardcode values for the -w option. The user should be able to run any of these commands with 10 being any digit.
/usr/bin/iptables -nvL *
/usr/bin/iptables -w -nvL *
/usr/bin/iptables -w 10 -nvL *
I came up with these 4 entries. Is there a better way to have optional values defined?
username ALL=(root) NOPASSWD: /usr/bin/iptables -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w [[:digit:]] -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w [[:digit:]][[:digit:]] -nvL *
sudo
add a comment |
I'm trying to figure out how to create an entry in the sudoer where I allow a limited set of arguments some optional but have the command still very restrictive.
Is there any easy way to limit these restrictions?
I'd like the user to be able to run with the -w flag and optional value but still be restrictive. I don't want to hardcode values for the -w option. The user should be able to run any of these commands with 10 being any digit.
/usr/bin/iptables -nvL *
/usr/bin/iptables -w -nvL *
/usr/bin/iptables -w 10 -nvL *
I came up with these 4 entries. Is there a better way to have optional values defined?
username ALL=(root) NOPASSWD: /usr/bin/iptables -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w [[:digit:]] -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w [[:digit:]][[:digit:]] -nvL *
sudo
add a comment |
I'm trying to figure out how to create an entry in the sudoer where I allow a limited set of arguments some optional but have the command still very restrictive.
Is there any easy way to limit these restrictions?
I'd like the user to be able to run with the -w flag and optional value but still be restrictive. I don't want to hardcode values for the -w option. The user should be able to run any of these commands with 10 being any digit.
/usr/bin/iptables -nvL *
/usr/bin/iptables -w -nvL *
/usr/bin/iptables -w 10 -nvL *
I came up with these 4 entries. Is there a better way to have optional values defined?
username ALL=(root) NOPASSWD: /usr/bin/iptables -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w [[:digit:]] -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w [[:digit:]][[:digit:]] -nvL *
sudo
I'm trying to figure out how to create an entry in the sudoer where I allow a limited set of arguments some optional but have the command still very restrictive.
Is there any easy way to limit these restrictions?
I'd like the user to be able to run with the -w flag and optional value but still be restrictive. I don't want to hardcode values for the -w option. The user should be able to run any of these commands with 10 being any digit.
/usr/bin/iptables -nvL *
/usr/bin/iptables -w -nvL *
/usr/bin/iptables -w 10 -nvL *
I came up with these 4 entries. Is there a better way to have optional values defined?
username ALL=(root) NOPASSWD: /usr/bin/iptables -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w [[:digit:]] -nvL *
username ALL=(root) NOPASSWD: /usr/bin/iptables -w [[:digit:]][[:digit:]] -nvL *
sudo
sudo
edited Sep 27 '17 at 21:40
LF4
asked Sep 27 '17 at 20:54
LF4LF4
1577
1577
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
You can use Cmnd_Alias
function.
Cmnd_Alias ITEM_IPTABLES = /usr/bin/iptables (-w)? [[:digit:]]* -nvL *
Then add the Cmnd_Alias
you defined to the commands list you want ignore asking password by sudo
.
USERNAME ALL=(root) NOPASSWD: ITEM_IPTABLES
From man 5 sudoers:
? Means that the preceding symbol (or group of symbols) isoptional.
That is, it may appear once or not at all.
* Means that the preceding symbol (or group of symbols) may appear
zero or more times.
Parentheses are used to define group of symbols.
1
Great! That was exactly what I wanted. I should have read the whole man page. I thought sudoers used globing, never heard of EBNF. Thanks.
– LF4
Sep 28 '17 at 16:51
add a comment |
Is there also a way to use wildcards in the RunAs part of the sudoer file command.
That is, in User Host = (Runas) Command, use wildcards for the (Runas) part ?
eg all users starting with xyz, or all groups starting with abc ?
New contributor
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f394845%2fmultiple-argument-wildcard-matches-for-sudoers-file%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can use Cmnd_Alias
function.
Cmnd_Alias ITEM_IPTABLES = /usr/bin/iptables (-w)? [[:digit:]]* -nvL *
Then add the Cmnd_Alias
you defined to the commands list you want ignore asking password by sudo
.
USERNAME ALL=(root) NOPASSWD: ITEM_IPTABLES
From man 5 sudoers:
? Means that the preceding symbol (or group of symbols) isoptional.
That is, it may appear once or not at all.
* Means that the preceding symbol (or group of symbols) may appear
zero or more times.
Parentheses are used to define group of symbols.
1
Great! That was exactly what I wanted. I should have read the whole man page. I thought sudoers used globing, never heard of EBNF. Thanks.
– LF4
Sep 28 '17 at 16:51
add a comment |
You can use Cmnd_Alias
function.
Cmnd_Alias ITEM_IPTABLES = /usr/bin/iptables (-w)? [[:digit:]]* -nvL *
Then add the Cmnd_Alias
you defined to the commands list you want ignore asking password by sudo
.
USERNAME ALL=(root) NOPASSWD: ITEM_IPTABLES
From man 5 sudoers:
? Means that the preceding symbol (or group of symbols) isoptional.
That is, it may appear once or not at all.
* Means that the preceding symbol (or group of symbols) may appear
zero or more times.
Parentheses are used to define group of symbols.
1
Great! That was exactly what I wanted. I should have read the whole man page. I thought sudoers used globing, never heard of EBNF. Thanks.
– LF4
Sep 28 '17 at 16:51
add a comment |
You can use Cmnd_Alias
function.
Cmnd_Alias ITEM_IPTABLES = /usr/bin/iptables (-w)? [[:digit:]]* -nvL *
Then add the Cmnd_Alias
you defined to the commands list you want ignore asking password by sudo
.
USERNAME ALL=(root) NOPASSWD: ITEM_IPTABLES
From man 5 sudoers:
? Means that the preceding symbol (or group of symbols) isoptional.
That is, it may appear once or not at all.
* Means that the preceding symbol (or group of symbols) may appear
zero or more times.
Parentheses are used to define group of symbols.
You can use Cmnd_Alias
function.
Cmnd_Alias ITEM_IPTABLES = /usr/bin/iptables (-w)? [[:digit:]]* -nvL *
Then add the Cmnd_Alias
you defined to the commands list you want ignore asking password by sudo
.
USERNAME ALL=(root) NOPASSWD: ITEM_IPTABLES
From man 5 sudoers:
? Means that the preceding symbol (or group of symbols) isoptional.
That is, it may appear once or not at all.
* Means that the preceding symbol (or group of symbols) may appear
zero or more times.
Parentheses are used to define group of symbols.
edited Sep 28 '17 at 14:49
answered Sep 28 '17 at 4:35
αғsнιηαғsнιη
16.6k102865
16.6k102865
1
Great! That was exactly what I wanted. I should have read the whole man page. I thought sudoers used globing, never heard of EBNF. Thanks.
– LF4
Sep 28 '17 at 16:51
add a comment |
1
Great! That was exactly what I wanted. I should have read the whole man page. I thought sudoers used globing, never heard of EBNF. Thanks.
– LF4
Sep 28 '17 at 16:51
1
1
Great! That was exactly what I wanted. I should have read the whole man page. I thought sudoers used globing, never heard of EBNF. Thanks.
– LF4
Sep 28 '17 at 16:51
Great! That was exactly what I wanted. I should have read the whole man page. I thought sudoers used globing, never heard of EBNF. Thanks.
– LF4
Sep 28 '17 at 16:51
add a comment |
Is there also a way to use wildcards in the RunAs part of the sudoer file command.
That is, in User Host = (Runas) Command, use wildcards for the (Runas) part ?
eg all users starting with xyz, or all groups starting with abc ?
New contributor
add a comment |
Is there also a way to use wildcards in the RunAs part of the sudoer file command.
That is, in User Host = (Runas) Command, use wildcards for the (Runas) part ?
eg all users starting with xyz, or all groups starting with abc ?
New contributor
add a comment |
Is there also a way to use wildcards in the RunAs part of the sudoer file command.
That is, in User Host = (Runas) Command, use wildcards for the (Runas) part ?
eg all users starting with xyz, or all groups starting with abc ?
New contributor
Is there also a way to use wildcards in the RunAs part of the sudoer file command.
That is, in User Host = (Runas) Command, use wildcards for the (Runas) part ?
eg all users starting with xyz, or all groups starting with abc ?
New contributor
New contributor
answered 2 mins ago
EDHEDH
1
1
New contributor
New contributor
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f394845%2fmultiple-argument-wildcard-matches-for-sudoers-file%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown