Previous Topic: Setting Up the Surrogate DO FacilityNext Topic: Preventing Password Attacks


Defining SUDO Records

A record in the SUDO class stores a command script so that users can run the script with borrowed permissions. The ability to borrow permissions is tightly controlled by the SUDO record, as well as by the sesudo command that executes the scripts.

In a SUDO record, the comment property is used for a special purpose, and often it is known by its alternate name: the data property.

The data property's value is the command script, with the optional addition of one or more script parameter values that are to be prohibited or permitted. The entire data property value must be enclosed in single quotes, and executables should be referenced by their complete path names to prevent Trojan horses from taking their place.

This is the format for the data property:

data('cmd[;[prohibitedvalues][;permittedvalues]]')

Because the lists of prohibited and permitted values are optional, a simple data property value could be the following:

newres SUDO MountCd data('mount /dev/cdrom /cdr')

The simple value in the command means that the command sesudo MountCd executes the script mount /dev/cdrom /cdr. No particular script parameter values are prohibited; all are permitted.

Wildcards and powerful variables give you flexibility in specifying prohibited and permitted parameters. The wildcards you can use are the standard UNIX wildcards. The variables are these:

Variable

Description

$A

Alphabetic value

$G

Existing CA ControlMinder group name

$H

Home path pattern of the user

$N

Numeric value

$O

Executor's user name

$U

Existing CA ControlMinder user name

$e

SUDO commands with no parameters

$f

Existing file name

$g

Existing UNIX group name

$h

Existing host name

$r

Existing UNIX file name with UNIX read permission

$u

Existing UNIX user name

$w

Existing UNIX file name with UNIX write permission

$x

Existing UNIX file name with UNIX exec permission

If you append a list of prohibited parameter values to the script:

If you append a list of permitted parameter values to the script:

Thus, the overall format for the data property is this: first the script; then the prohibited values, parameter by parameter; then the permitted values, parameter by parameter:

data('cmd;  
 param1_prohib1 param1_prohib2 ... param1_prohibN | \
 param2_prohib1 param2_prohib2 ... param2_prohibN | \
 ...
 paramN_prohib1 paramN_prohib2 ... paramN_prohibN ; \
 param1_permit1 param1_permit2 ... param1_permitN | \
 param2_permit1 param2_permit2 ... param2_permitN |
 ...
 paramN_permit1 paramN_permit2 ... paramN_permitN')