Disabling sudo logging very specific command
Dan Kenigsberg
danken at cs.technion.ac.il
Sat Oct 10 13:59:54 IST 2009
On Thu, Oct 01, 2009 at 10:45:41AM +1000, Amos Shapira wrote:
> Hello,
>
> We have a script which runs in a loop and contains a command like:
>
> for ONE_USER in $USER_GROUP
> {
> sudo $BINDIR/getmail $ONE_USER $TOPDIR
> }
>
> This script is executed by a non-root user and generates tons of
> output in /var/log/secure (this is an old Fedora Core system,
> eventually I'll get around to replace it with CentOS 5).
>
> Is there a way to limit sudo NOT to log just this specific case - i.e.
> only allow this user to execute $BINDIR/getmail with two parameters,
> don't ask for a password but also don't log ONLY execution which was
> permitted by this line?
>
> The script also calls sudo with another specific command which I'd
> like to do the same for.
>
> So far I didn't find a way to do that.
you should be able to do that with adding
Cmnd_Alias BLA = /path/to/getmail * *
youruser ALL=NOPASSWD: BLA
Defaults!BLA !syslog
to /etc/sudoers.
(untested, unwarranted)
More information about the Linux-il
mailing list