block setfacl to specific group in sudo

Latest response

Hi All,

Am trying to block the setfacl command for sudo user (my specific requirement) as below:
%testing ALL= NOPASSWD: !/usr/bin/setfacl -m g:testing:*

Dont want sudo user to perform any setfacl operation for testing group.

Am getting below error:
@localhost ]$ sudo setfacl -m g:testing:rw- somefile/
sudo: >>> /etc/sudoers: syntax error near line 111 <<<
sudo: parse error in /etc/sudoers near line 111
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

line number 111 is :
%testing ALL= NOPASSWD: !/usr/bin/setfacl -m g:testing:*

Responses

Hello Gyan,

I can tell you the cause, : (colon) is a column separator. So this might be an UNTESTED solution: %testing ALL= NOPASSWD: !/usr/bin/setfacl -m g:testing:*

Kind regards,

Jan Gerrit

You need to escape the colon in "g:testing" for the reason Jan posted:

Try g\:testing instead.

From sudoers man page:

"If a Cmnd has associated command line arguments, then the arguments in the Cmnd must match exactly those given by the user on the command line (or match the wildcards if there are any). Note that the following characters must be escaped with a ’\’ if they are used in command arguments: ’,’, ’:’, ’=’, ’\’. The special command "sudoedit" is used to permit a user to run sudo with the -e option (or as sudoedit). It may take command line arguments just as a normal command does."

Thanks both.

Gyan,

Using sudo to block access (generate blacklists of commands) is generally easily circumvented. I would rethink your approach to providing/restricting access to tools like this.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.