Would match any file name beginning with a letter.
Note that a forward slash (`/') will n\bno\bot\bt be matched by wildcards used in
- the path name. When matching the command line arguments, however, a
- slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
+ the path name. This is to make a path like:
/usr/bin/*
match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
+ When matching the command line arguments, however, a slash d\bdo\boe\bes\bs get
+ matched by wildcards since command line arguments may contain arbitrary
+ strings and not just pathnames.
+
+ Wildcards in command line arguments should be used with care. Because
+ command line arguments are matched as a single, concatenated string, a
+ wildcard such as `?' or `*' can match multiple words. For example, while
+ a sudoers entry like:
+
+ %operator ALL = /bin/cat /var/log/messages*
+
+ will allow command like:
+
+ $ sudo cat /var/log/messages.1
+
+ It will also allow:
+
+ $ sudo cat /var/log/messages /etc/shadow
+
+ which is probaby not what was intended.
+
E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
The following exceptions apply to the above rules:
- "" If the empty string "" is the only command line argument in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run with
- a\ban\bny\by arguments.
+ "" If the empty string "" is the only command line argument in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
+ with a\ban\bny\by arguments.
+
+ sudoedit Command line arguments to the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt built-in command should
+ always be pathnames, so a forward slash (`/') will not be
+ matched by a wildcard.
I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
on this feature as it is not universally available.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- rsh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
+ ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
\fBnot\fR
be matched by
wildcards used in the path name.
-When matching the command line arguments, however, a slash
-\fBdoes\fR
-get matched by
-wildcards.
This is to make a path like:
.nf
.sp
\fI/usr/bin/who\fR
but not
\fI/usr/bin/X11/xterm\fR.
+.PP
+When matching the command line arguments, however, a slash
+\fBdoes\fR
+get matched by wildcards since command line arguments may contain
+arbitrary strings and not just pathnames.
+.PP
+Wildcards in command line arguments should be used with care.
+Because command line arguments are matched as a single, concatenated
+string, a wildcard such as
+`\&?'
+or
+`*'
+can match multiple words.
+For example, while a sudoers entry like:
+.nf
+.sp
+.RS 4n
+%operator ALL = /bin/cat /var/log/messages*
+.RE
+.fi
+.PP
+will allow command like:
+.nf
+.sp
+.RS 4n
+$ sudo cat /var/log/messages.1
+.RE
+.fi
+.PP
+It will also allow:
+.nf
+.sp
+.RS 4n
+$ sudo cat /var/log/messages /etc/shadow
+.RE
+.fi
+.PP
+which is probaby not what was intended.
.SS "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
-.TP 6n
+.TP 10n
\fR\&""\fR
If the empty string
\fR\&""\fR
entry it means that command is not allowed to be run with
\fBany\fR
arguments.
+.TP 10n
+sudoedit
+Command line arguments to the
+\fIsudoedit\fR
+built-in command should always be pathnames, so a forward slash
+(`/')
+will not be matched by a wildcard.
.SS "Including other files from within sudoers"
It is possible to include other
\fIsudoers\fR
Administrators should not rely on this feature as it is not universally
available.
.SH "SEE ALSO"
-rsh(1),
+ssh(1),
su(1),
fnmatch(3),
glob(3),
.Sy not
be matched by
wildcards used in the path name.
-When matching the command line arguments, however, a slash
-.Sy does
-get matched by
-wildcards.
This is to make a path like:
.Bd -literal -offset 4n
/usr/bin/*
.Pa /usr/bin/who
but not
.Pa /usr/bin/X11/xterm .
+.Pp
+When matching the command line arguments, however, a slash
+.Sy does
+get matched by wildcards since command line arguments may contain
+arbitrary strings and not just pathnames.
+.Pp
+Wildcards in command line arguments should be used with care.
+Because command line arguments are matched as a single, concatenated
+string, a wildcard such as
+.Ql \&?
+or
+.Ql *
+can match multiple words.
+For example, while a sudoers entry like:
+.Bd -literal -offset 4n
+%operator ALL = /bin/cat /var/log/messages*
+.Ed
+.Pp
+will allow command like:
+.Bd -literal -offset 4n
+$ sudo cat /var/log/messages.1
+.Ed
+.Pp
+It will also allow:
+.Bd -literal -offset 4n
+$ sudo cat /var/log/messages /etc/shadow
+.Ed
+.Pp
+which is probaby not what was intended.
.Ss Exceptions to wildcard rules
The following exceptions apply to the above rules:
-.Bl -tag -width 4n
+.Bl -tag -width 8n
.It Li \&""
If the empty string
.Li \&""
entry it means that command is not allowed to be run with
.Sy any
arguments.
+.It sudoedit
+Command line arguments to the
+.Em sudoedit
+built-in command should always be pathnames, so a forward slash
+.Pq Ql /
+will not be matched by a wildcard.
.El
.Ss Including other files from within sudoers
It is possible to include other
Administrators should not rely on this feature as it is not universally
available.
.Sh SEE ALSO
-.Xr rsh 1 ,
+.Xr ssh 1 ,
.Xr su 1 ,
.Xr fnmatch 3 ,
.Xr glob 3 ,
projects / sudo / commitdiff