I have specified the full pathname in the allowed commands. eg. "/bin/systemctl stop tomcat" to eliminate someone putting in a systemctl command that does something else somewhere else in the $PATH. My problem is that "sudo systemctl stop tomcat" works. I expect that to fail and the user to be required to type "sudo /bin/systemctl stop tomcat"
What is going on with sudo?
sudosets a limited path for commands and/binis in that path./bin/cmdandcmdwill be treated equivalently. It is only if the command is outside the standard PATH that your sudo restrictions really apply. If the user hadsystemctlin a non-standard place (e.g. ~/bin/systemctl`) that command would be ignored. – doneal24 Sep 15 '22 at 19:31secure_pathfeature – steeldriver Sep 15 '22 at 19:44