Sudoers config to allow arguments for git post-commit script

Question

We have a git post-commit script that needs to be run with Git and Trac, when someone commits something a hook is a called that runs the command:

trac-admin /path/to/trac changeset added "reponame" $REV

Where $REV is dynamic depending on the revision of the push. The problem is that this command requires that the committing user have write permission to the trac database.

We have many users committing, they are all in a Linux group called "git", I can give rw to this group on the trac DB file(SQLite) and it works however then anyone in the "git" group could delete the database. It is currently owned by www-data,www-data.

I added a sudo config line of this:

%git ALL=(www-data) NOPASSWD: /usr/local/bin/trac-admin

This works, it allows the script to work, however now they have all the options that come with trac-admin, I want to limit the access of this command to include the arguments of /path/to/trac, and change set added.

I tried adding a Cmnd Alias with the /usr/local/bin/trac-admin /path/to/trac changeset added "reponame" but it does not work because the added $REV is breaking it, and that cant be added dynamicly into /etc/sudoers.

Is there a way to include wildcards in Cmnd Alias to allow this to work in sudoers?

Answer 1

create a script which does only the thing you want to grant access to, then grant sudo access to that script instead of granting sudo access to trac-admin

Answer 2

Put in /usr/local/bin/whatever

#!/bin/bash --

reponame="$( printf '%q' "$1" )"
rev="$( printf '%q' "$2" )"

/usr/local/bin/trac-admin /path/to/trac changeset added "$reponame" "$rev"

Then use /usr/local/bin/whatever in sudoers. Let users these instructions:

sudo whatever repo rev