Username expansion in sudoers file command possible?

I have the following in my sudoers file :

User_Alias DU=%domain\ users
DU ALL = NOPASSWD:NOEXEC: /sbin/mount.cifs \\\\* /home/* -o sec=krb5\,* ,/bin/umount -t cifs /home/*

This works, users who are in the right group, and have a Kerberos ticket can mount their shares somewhere in their home.

But right now, any user can mount cifs shares in any directory under /home (because of the /home/*), and thus annoy their fellow users.

It would be a lot better if I would be able to change that to e.g. /home/$username, where $username is the name of calling user.

Is there a way to do this within the sudoers file ?

Otherwise I will have to create wrappers to limit the locations people can mount and unmount.

sudoers

Jan van Haarst

Posted 2014-08-19T10:58:35.693

Reputation: 36

Answers

I was looking for the same answer, but I have not found anything usable. AFAIK it is not possible, because the sudoers file is plain text and not interpreted in any way. So the $-expansion for variables is a shell feature, but for the sudo program it's just \$username. A special syntax to declare a variable in the sudoers file does not exist, at least I have not found it so far.

A workaround would be to put your mount command into a script file and put that script into the sudoers file. Remove the write permissions for other users (chmod o-w scriptfile) and you should be good to go.

Oliver R.

Posted 2014-08-19T10:58:35.693

Reputation: 188