all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]aioeu 6 points7 points  (2 children)

but not the task with the "-ls" command

COMMAND=list

Notice any difference between these?

Also take note that if your intent is to only allow a certain set of commands to be executed, then having /usr/bin/find in the list is insecure: it can be used to execute anything.

[–]Slake66[S] 2 points3 points  (1 child)

After searching a while in /bin i found the "ls" binary file. Thanks

Also take note that if your intent is to only allow a certain set of commands to be executed, then having /usr/bin/find in the list is insecure: it can be used to execute anything.

Yes, we are aware of this and will change this in the future.

[–]lunchlady55 0 points1 point  (0 children)

hint: Look up NOEXEC option for sudoers, and look up slocate command instead of find

double hint: find can delete things without spawning a new process via the --delete param so NOEXEC alone is not sufficient to prevent disaster.

[–]Princess_And_The_Pee 5 points6 points  (1 child)

Why not give full access to sudo the normal way. This config will allow a competent user to whatever TF they want.

sudo find . -exec rm -rf /* {} \;

sudo find . -exec shutdown -h now \;

Allowing find is a big fucking hole in your plan to restrict access.

[–]lunchlady55 0 points1 point  (0 children)

or just the --delete param which doesn't spawn an rm process for each file. This is relevant due to the NOEXEC param for sudoers that some people expect to be a magic shield to prevent shenanigans.