I want to add an entry to my suoders to allow one user to run a command with exactly one non-option argument.
# tail -1 /etc/sudoers
ALL ALL = (:tool) NOPASSWD: /bin/echo [a-z]*
$ sudo -g tool /bin/echo abc def
abc def
$ sudo -g tool /bin/echo -abc def
[sudo] password for user:
Can I do that using the sudoers sytnax? Or do I need to create a helper script?
To my knowledge, you cannot pass non-command arguments into sudo if that argument varies.
You can specify something like this:
This would allow the user to tail somefile but not other files.
If you need to pass a variable, I recommend a wrapper script.
Here is an example of an rsync wrapper:
https://sites.google.com/site/beingroot/articles/useful-scripts/wrapper-script-to-use-rsync-via-sudo
If you search google for sudo wrappers, you can find many more examples.
Be sure to hard code all paths and run sanity checks on the input if the user cannot be trusted.