Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Can I use the value of an environment variable in a sudoers rule

18 views
Skip to first unread message

Andy

unread,
Nov 17, 2009, 1:27:45 PM11/17/09
to
I want to do something like

ALL ALL=/bin/mount -o loop -t ext3 $HOME/* $HOME/*

to allow users to loopback mount a filesystem image, but only in their
own home directory.
by doing, for example

$ sudo /bin/mount -o loop -t ext3 $HOME/imagefile $HOME/mountpoint

That one passes the value of $HOME to sudo and rule doesn't match.
Single quoting $HOME to avoid shell interpretaion passes $HOME to /bin/
mount which
fails to understand.

I have set my /etc/sudoers to preserve the value of $HOME.
It will work with '/bin/bash' inserted but that seems wide open to
abuse.
Is there any way to get sudo to use the value of $HOME in a rule?

best

Andy

Gerard H. Pille

unread,
Nov 18, 2009, 12:38:16 PM11/18/09
to
Andy wrote:
> I want to do something like
>
> ALL ALL=/bin/mount -o loop -t ext3 $HOME/* $HOME/*
>

Why not have a script that does that, and allow them to execute that script?

Andy

unread,
Nov 19, 2009, 4:29:04 PM11/19/09
to

Because I can write any series of statements into the $HOME string

e.g. export HOME="; cd /; rm -rf * ; /etc/halt;"
sudo script

You could obviously try to scan the $HOME string but.....
Running a sudoed shell or other interpreter is a bad idea IMHO.

Andy

Gerard H. Pille

unread,
Nov 21, 2009, 11:34:34 AM11/21/09
to
Andy wrote:
> Running a sudoed shell or other interpreter is a bad idea IMHO.
>
> Andy

As is using sudo.

0 new messages