Menu
I have this in /etc/sudoers:
%wheel myhostname =NOPASSWD: /bin/bash -c "echo foo && echo bar", \
/bin/bash -c echo foo
Executing sudo /bin/bash -c echo foo works without being prompted for a password.
However, sudo /bin/bash -c "echo foo && echo bar" still asks for a password.
I've tried many variations to this, but nothing is being accepted.
Where's the error? / How can I allow -c followed by multiple commands?
355
%sudo ALL= (ALL:ALL) ALL – all users in the sudo group have the privileges to run any command Another line of interest is #includedir /etc/sudoers.d, this means we can add configurations to the file sudoers.d and link it here. Editing the Sudoers File To edit /etc/sudoers file, use following command:
The sudo command allows non root users to run commands that would normally require super user privileges, while the sudoers file instructs the system how to handle the sudo command. In this tutorial, we’ll show you all the sudo command basics and how to edit the sudoers file.
To edit sudoers file, you need to be root user or have sudo privileges. To run specific commands with sudo as any target user, for example to allow user john to restart only Apache service using sudo;
%sudo ALL= (ALL:ALL) ALL – all users in the sudo group have the privileges to run any command Another line of interest is #includedir /etc/sudoers.d, this means we can add configurations to the file sudoers.d and link it here. To edit /etc/sudoers file, use following command: It is recommended to use visudo to edit the sudoers file.
The problem is in how your shell interprets arguments. If I am in bash (most other shells work the same way), and I type the command
sudo /bin/bash -c "echo foo && echo bar"
sudo is invoked with everything after it as arguments. However, the shell processes each argument before passing it in to sudo. One of the things it does is remove quotes around quoted arguments. Therefore, the arguments that sudo gets as its argv value are an array that looks like this (one argument per line):
/bin/bash
-c
echo foo && echo bar
sudo combines these with spaces and compares that to the commands in the sudoers file (it is actually a bit more complicated than this since it does wildcard replacement, etc.). Thus, the command it actually sees you executing, for the purposes of checking permissions is
/bin/bash -c echo foo && echo bar
When I put that command in my sudoers file, I am not prompted for a password when I enter
sudo /bin/bash -c "echo foo && echo bar"
However I am also not prompted for a password when I enter any of these commands or other like them.
sudo /bin/bash "-c echo foo && echo bar"
sudo /bin/bash "-c echo" foo "&& echo" bar
sudo /bin/bash -c echo "foo && echo" bar
In general, as far as I know, there is no way for sudo (or any program) to know exactly what command got entered, only what it gets converted to by the shell for execution purposes.
145
At least with my sudo (OS X 10.9, sudo 1.7.10p7), quote marks in the /etc/sudoers are matched literally. That is, specifying
/bin/bash -c "echo foo && echo bar"
means that the users literally have to run
sudo /bin/bash -c '"echo foo && echo bar"'
i.e. the quote marks have to be passed to the program.
Therefore, all you have to do is just drop the quote marks in /etc/sudoers:
%wheel myhostname =NOPASSWD: /bin/bash -c echo foo && echo bar
While this looks kind of weird, it completely works on my machine: users can execute /bin/bash -c "echo foo && echo bar" without a password. This works because, according to man sudoers, the only characters that must be escaped are ',', ':', '=' and '\'.
Note that this implies that sudo is basically concatenating all the command-line args together with only spaces to determine a match: users can also execute /bin/bash -c "echo foo" "&&" "echo bar". Therefore, you must take care that none of the arguments could individually be a security risk (e.g. that foo, && and bar aren't things that could be used to exploit your computer).
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
