20
6
is there a straight-forward way to allow a user to run (for example)
/usr/bin/pacman -S -u
as root, without allowing him to run
/usr/bin/pacman -S -u some_package
?
The line
user ALL=(root) NOPASSWD: /usr/bin/pacman -S -u
allows both, and
user ALL=(root) NOPASSWD: /usr/bin/pacman -S -u ""
appears to be semantically equivalent.
nisc
Posted 2010-07-25T23:13:57.000
Reputation: 983
27
For your case try something like this:
Cmnd_Alias PACMAN = /usr/bin/pacman -S -u, ! /usr/bin/pacman -S -u some_package
user ALL=(root) NOPASSWD: PACMAN
You can use shell glob patterns like [a-z],[0-9],* etc. in your sudoers file to exclude packages that match a certain pattern.
matthias krull
Posted 2010-07-25T23:13:57.000
Reputation: 2 394
3
Write a script that does what you want and give sudo access to it.
Also make sure that whatever environment this is run in does not have access to the networking at all, or they can just use their own dns to spoof the mirror and then run arbitrary code as root when it gets installed by pacman.
Daenyth
Posted 2010-07-25T23:13:57.000
Reputation: 5 742
1Not the best solution, but +1 for security warning – Aaron J Lang – 2014-11-10T12:22:58.587
thats not an elegant way, sudo supports by default the exact given case – matthias krull – 2010-07-26T10:59:42.473