[ Team LiB ] Previous Section Next Section

Recipe 5.9 Prohibiting Command Arguments with sudo

5.9.1 Problem

You want to permit a command to be run via sudo, but only without command-line arguments.

5.9.2 Solution

Follow the program name with the single argument "" in /etc/sudoers:

/etc/sudoers:
smith  ALL = (root) /usr/local/bin/mycommand ""

smith$ sudo -u root mycommand a b c                         Rejected
smith$ sudo -u root mycommand                               Authorized

5.9.3 Discussion

If you specify no arguments to a command in /etc/sudoers, then by default any arguments are permitted.

/etc/sudoers:
smith  ALL = (root) /usr/local/bin/mycommand

smith$ sudo -u root mycommand a b c                         Authorized

Use "" to prevent any runtime arguments from being authorized.

5.9.4 See Also

sudo(8), sudoers(5).
    [ Team LiB ] Previous Section Next Section