0

In particular I want to allow the following command without password:

 sudo cfgutil --ecid "${Device_ECID}" install-application "${in_File_Name}"

With Device_ECID and in_File_Name changing from one call to the next. I found several examples but most about about the opposite: prohibition variable parameters entirely or allowing any parameters.

Update:

Shortly after posting I found out about wildcards. The following works for me:

%_developer ALL=(root) NOPASSWD: /usr/local/bin/cfgutil list-devices
%_developer ALL=(root) NOPASSWD: /usr/local/bin/cfgutil --ecid * install-application *

However, from @marcus-müller answer I take it that this is only the case because there are no actual spaces in the filename. So I wonder is there is something else I'm still missing.

Martin
  • 113
  • With the rules listed, developer can run sudo cfgutil --ecid blah blah blah --some-random option who-cares install-application anything I care to install --some-other-option – muru Mar 21 '24 at 10:31
  • @muru The user will be a DevOps build agent ;-). And even when someone types in any random gibberish on the Terminal all you get is either “device not found” or “file not found”. But yes, thanks for mentioning it. It's important to know. – Martin Mar 21 '24 at 13:31
  • The point isn't the random gibberish. The point is that someone who knows what cfgutil does (I have no idea what it is) maybe be able to do more with it using additional options than you'd think at first based on the sudoers rule. If this command had an option to, say run another command before or after installing the paxkage, you might even be able to run arbitrary things as root. Essentially you'd have to thoroughly inspect every combination of options possible. – muru Mar 21 '24 at 14:13

1 Answers1

5

Sudo does have the ability to allow selectively multi-word command lines, but it's a bad idea, all around.

However, to the best of my knowledge, variable placeholders are not among the things sudoers supports, and frankly, for good reason; the alternative is easy:

Instead, I'd strongly suggest you write a shell script, make sure only root can modify it, mark it executable. The script takes exactly two arguments, and calls cfgutil as desired:

#!/bin/sh
# Add string sanitation here if needed
cfgutil --ecid "$1" install-application "$2"

and allow that in sudoers. You can then sudo myscript argument1 argument2 and it works.

Marcus Müller
  • 28,836
  • 3
    And remember that making sure only root can modify the script includes making not only the file but also the containing directory only writable by root. – ilkkachu Mar 21 '24 at 10:10
  • Note that I always quote parameters to be compatible with filenames in space. Even when I don't actually expect any spaces. – Martin Mar 21 '24 at 10:11
  • @Martin that's very good, but sudo still doesn't support it – Marcus Müller Mar 21 '24 at 10:14