How to add flags and/or arguments to a command in the 'sudoers' file
How would I add flags and/or arguments to allow users in the sudoers file to run certain parts of commands, such as only allowing a user to run sudo rm and not sudo rm -rf? I am using 14.04.
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset,pwfeedback Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL Ruby ALL=/usr/bin/apt-get update,/usr/bin/rm,/usr/bin/rmdir,/usr/bin/mkdir # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d8
1 Answer
As stated in the comments, there isn't a way to control sudoers in the way requested, although there are fine grained permissions available in the system:
But even that isn't quite enough, you'd basically have to replace all the standard program libraries with scripts to filter flags. Which would be messy and potentially break the system.
Instead consider flipping the problem and creating users who don't need sudoers. Making sure they're in the right groups and using ACLs to expand permissions where needed so they can access the files they need without causing issues.
