What is Date_Spec in sudoers policy? The 2019 Stack Overflow Developer Survey Results Are Inno...
Resizing object distorts it (Illustrator CC 2018)
How to notate time signature switching consistently every measure
What are the motivations for publishing new editions of an existing textbook, beyond new discoveries in a field?
FPGA - DIY Programming
Can a rogue use sneak attack with weapons that have the thrown property even if they are not thrown?
How to save as into a customized destination on macOS?
Write faster on AT24C32
Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?
Return to UK after being refused entry years previously
Is there any way to tell whether the shot is going to hit you or not?
What does ひと匙 mean in this manga and has it been used colloquially?
What do hard-Brexiteers want with respect to the Irish border?
Building a conditional check constraint
STM32 programming and BOOT0 pin
Where to refill my bottle in India?
The difference between dialogue marks
Is this app Icon Browser Safe/Legit?
What is the accessibility of a package's `Private` context variables?
What is the meaning of Triage in Cybersec world?
Is a "Democratic" Oligarchy-Style System Possible?
How can I autofill dates in Excel excluding Sunday?
Origin of "cooter" meaning "vagina"
Why do UK politicians seemingly ignore opinion polls on Brexit?
Why was M87 targetted for the Event Horizon Telescope instead of Sagittarius A*?
What is Date_Spec in sudoers policy?
The 2019 Stack Overflow Developer Survey Results Are Inno root shell freely available sudoers policiesWhy sudo timestamp is not updated when NOPASSWD is set?Protect folder from sudoersWhat are the parameters in sudoers fileNOEXEC and RESTRICT in sudoersGalera + systemd: wsrep_notify_cmd fails with sudo (unable to change to sudoers gid: Operation not permitted)what is meant by Defaults:visiblepw in /etc/sudoers fileSudoers overwritten by unknown instanceLinux security policy pluginstighten security on /etc/sudoers execution grants
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I was reading through the sudoers policy manual. Under 'User specification' section, I saw Date_Spec as part of the Option_Spec, in turn an optional part of the Cmnd_Spec.
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List
(':' Host_List '=' Cmnd_Spec_List)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Option_Spec ::= (Date_Spec | Timeout_Spec)
Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
Timeout_Spec ::= 'TIMEOUT=timeout'
What does this do? From my reading, it looks like something I can use to restrict the time span within which a user can run a command. Is that correct? If so, what are the possible use cases for such a feature?
Ref: man 5 sudoers
linux security sudo
asked yesterday
eternaltyroeternaltyro
184
New contributor
eternaltyro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I was reading through the sudoers policy manual. Under 'User specification' section, I saw Date_Spec as part of the Option_Spec, in turn an optional part of the Cmnd_Spec.
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List
(':' Host_List '=' Cmnd_Spec_List)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Option_Spec ::= (Date_Spec | Timeout_Spec)
Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
Timeout_Spec ::= 'TIMEOUT=timeout'
What does this do? From my reading, it looks like something I can use to restrict the time span within which a user can run a command. Is that correct? If so, what are the possible use cases for such a feature?
Ref: man 5 sudoers
linux security sudo
asked yesterday
eternaltyroeternaltyro
184
New contributor
eternaltyro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I was reading through the sudoers policy manual. Under 'User specification' section, I saw Date_Spec as part of the Option_Spec, in turn an optional part of the Cmnd_Spec.
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List
(':' Host_List '=' Cmnd_Spec_List)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Option_Spec ::= (Date_Spec | Timeout_Spec)
Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
Timeout_Spec ::= 'TIMEOUT=timeout'
What does this do? From my reading, it looks like something I can use to restrict the time span within which a user can run a command. Is that correct? If so, what are the possible use cases for such a feature?
Ref: man 5 sudoers
linux security sudo
asked yesterday
eternaltyroeternaltyro
184
New contributor
eternaltyro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I was reading through the sudoers policy manual. Under 'User specification' section, I saw Date_Spec as part of the Option_Spec, in turn an optional part of the Cmnd_Spec.
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List
(':' Host_List '=' Cmnd_Spec_List)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Option_Spec ::= (Date_Spec | Timeout_Spec)
Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
Timeout_Spec ::= 'TIMEOUT=timeout'
What does this do? From my reading, it looks like something I can use to restrict the time span within which a user can run a command. Is that correct? If so, what are the possible use cases for such a feature?
Ref: man 5 sudoers
linux security sudo
linux security sudo
asked yesterday
eternaltyroeternaltyro
184
New contributor
eternaltyro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
eternaltyroeternaltyro
184
New contributor
eternaltyro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
eternaltyroeternaltyro
184
New contributor
eternaltyro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
eternaltyroeternaltyro
184
asked yesterday
eternaltyroeternaltyro
184
184
New contributor
eternaltyro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
eternaltyro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
eternaltyro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Support for the Date_Spec appears to have been added in version 1.8.20, with the Changelog indicating that it the code was changed by 2017-02-18:
Add NOTBEFORE and NOTAFTER command options similar to what is already available in LDAP.
The option does exactly as you guessed: restricts the corresponding rule to have a start and/or end date.
For example, I added this rule:
jeff2 ALL=(ALL) NOTBEFORE=20190409212700 /bin/ps
and then executed the following as jeff2:
$ sudo -l
# ... elided ...
User jeff2 may run the following commands on r2d2:
(ALL) /bin/ls
(ALL) NOTBEFORE=20190410012700Z /bin/ps
$ date -u '+%Y%m%d %H:%M:%S'
20190410 01:25:52
$ sudo /bin/ps
Sorry, user jeff2 is not allowed to execute '/bin/ps' as root on r2d2.
$ sleep 2m ## plus get distracted by something
$ date -u '+%Y%m%d %H:%M:%S'
20190410 01:29:33
$ sudo /bin/ps
PID TTY TIME CMD
9607 pts/1 00:00:00 ps
I can see a use-case for this where you want to grant temporary additional access (say for a specific application upgrade or change), but you don't want to have to remember to log in before and after that timeframe to update sudoers. Perhaps you have a privileged user that's changing roles and no longer needs certain commands after a certain date; you could use NOTAFTER at your convenience, then go in later and delete the rules at some point later. Similarly with NOTBEFORE for someone changing roles into one that is a more privileged.
answered 23 hours ago
Jeff Schaller♦Jeff Schaller
44.9k1164147
Thanks, I'm also assuming you can do this to multiple commands? Likejeff2can't runpsafter Monday and he can't runpingafter Tuesday? I wonder why this is feature is not more popular. Seems like a handy thing. I need to read the man page more carefully and understand this better.
– eternaltyro
6 hours ago
Correct in your assumption; the Date_Spec is part of the Option_Spec which is part of the Cmnd_Spec, which is a comma-separated list of "commands", sopscould have a different Date_Spec thanping, for your example. I have not yet seen Date_Spec in the wild, myself, maybe because that feature is relatively new (in the non-LDAP world). In fact, I had to compile a newer version of sudo on that Debian "stable" VM in order to test my Answer.
– Jeff Schaller♦
6 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
eternaltyro is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511542%2fwhat-is-date-spec-in-sudoers-policy%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Support for the Date_Spec appears to have been added in version 1.8.20, with the Changelog indicating that it the code was changed by 2017-02-18:
Add NOTBEFORE and NOTAFTER command options similar to what is already available in LDAP.
The option does exactly as you guessed: restricts the corresponding rule to have a start and/or end date.
For example, I added this rule:
jeff2 ALL=(ALL) NOTBEFORE=20190409212700 /bin/ps
and then executed the following as jeff2:
$ sudo -l
# ... elided ...
User jeff2 may run the following commands on r2d2:
(ALL) /bin/ls
(ALL) NOTBEFORE=20190410012700Z /bin/ps
$ date -u '+%Y%m%d %H:%M:%S'
20190410 01:25:52
$ sudo /bin/ps
Sorry, user jeff2 is not allowed to execute '/bin/ps' as root on r2d2.
$ sleep 2m ## plus get distracted by something
$ date -u '+%Y%m%d %H:%M:%S'
20190410 01:29:33
$ sudo /bin/ps
PID TTY TIME CMD
9607 pts/1 00:00:00 ps
I can see a use-case for this where you want to grant temporary additional access (say for a specific application upgrade or change), but you don't want to have to remember to log in before and after that timeframe to update sudoers. Perhaps you have a privileged user that's changing roles and no longer needs certain commands after a certain date; you could use NOTAFTER at your convenience, then go in later and delete the rules at some point later. Similarly with NOTBEFORE for someone changing roles into one that is a more privileged.
answered 23 hours ago
Jeff Schaller♦Jeff Schaller
44.9k1164147
Thanks, I'm also assuming you can do this to multiple commands? Likejeff2can't runpsafter Monday and he can't runpingafter Tuesday? I wonder why this is feature is not more popular. Seems like a handy thing. I need to read the man page more carefully and understand this better.
– eternaltyro
6 hours ago
Correct in your assumption; the Date_Spec is part of the Option_Spec which is part of the Cmnd_Spec, which is a comma-separated list of "commands", sopscould have a different Date_Spec thanping, for your example. I have not yet seen Date_Spec in the wild, myself, maybe because that feature is relatively new (in the non-LDAP world). In fact, I had to compile a newer version of sudo on that Debian "stable" VM in order to test my Answer.
– Jeff Schaller♦
6 hours ago
add a comment |
Support for the Date_Spec appears to have been added in version 1.8.20, with the Changelog indicating that it the code was changed by 2017-02-18:
Add NOTBEFORE and NOTAFTER command options similar to what is already available in LDAP.
The option does exactly as you guessed: restricts the corresponding rule to have a start and/or end date.
For example, I added this rule:
jeff2 ALL=(ALL) NOTBEFORE=20190409212700 /bin/ps
and then executed the following as jeff2:
$ sudo -l
# ... elided ...
User jeff2 may run the following commands on r2d2:
(ALL) /bin/ls
(ALL) NOTBEFORE=20190410012700Z /bin/ps
$ date -u '+%Y%m%d %H:%M:%S'
20190410 01:25:52
$ sudo /bin/ps
Sorry, user jeff2 is not allowed to execute '/bin/ps' as root on r2d2.
$ sleep 2m ## plus get distracted by something
$ date -u '+%Y%m%d %H:%M:%S'
20190410 01:29:33
$ sudo /bin/ps
PID TTY TIME CMD
9607 pts/1 00:00:00 ps
I can see a use-case for this where you want to grant temporary additional access (say for a specific application upgrade or change), but you don't want to have to remember to log in before and after that timeframe to update sudoers. Perhaps you have a privileged user that's changing roles and no longer needs certain commands after a certain date; you could use NOTAFTER at your convenience, then go in later and delete the rules at some point later. Similarly with NOTBEFORE for someone changing roles into one that is a more privileged.
answered 23 hours ago
Jeff Schaller♦Jeff Schaller
44.9k1164147
Thanks, I'm also assuming you can do this to multiple commands? Likejeff2can't runpsafter Monday and he can't runpingafter Tuesday? I wonder why this is feature is not more popular. Seems like a handy thing. I need to read the man page more carefully and understand this better.
– eternaltyro
6 hours ago
Correct in your assumption; the Date_Spec is part of the Option_Spec which is part of the Cmnd_Spec, which is a comma-separated list of "commands", sopscould have a different Date_Spec thanping, for your example. I have not yet seen Date_Spec in the wild, myself, maybe because that feature is relatively new (in the non-LDAP world). In fact, I had to compile a newer version of sudo on that Debian "stable" VM in order to test my Answer.
– Jeff Schaller♦
6 hours ago
add a comment |
Support for the Date_Spec appears to have been added in version 1.8.20, with the Changelog indicating that it the code was changed by 2017-02-18:
Add NOTBEFORE and NOTAFTER command options similar to what is already available in LDAP.
The option does exactly as you guessed: restricts the corresponding rule to have a start and/or end date.
For example, I added this rule:
jeff2 ALL=(ALL) NOTBEFORE=20190409212700 /bin/ps
and then executed the following as jeff2:
$ sudo -l
# ... elided ...
User jeff2 may run the following commands on r2d2:
(ALL) /bin/ls
(ALL) NOTBEFORE=20190410012700Z /bin/ps
$ date -u '+%Y%m%d %H:%M:%S'
20190410 01:25:52
$ sudo /bin/ps
Sorry, user jeff2 is not allowed to execute '/bin/ps' as root on r2d2.
$ sleep 2m ## plus get distracted by something
$ date -u '+%Y%m%d %H:%M:%S'
20190410 01:29:33
$ sudo /bin/ps
PID TTY TIME CMD
9607 pts/1 00:00:00 ps
I can see a use-case for this where you want to grant temporary additional access (say for a specific application upgrade or change), but you don't want to have to remember to log in before and after that timeframe to update sudoers. Perhaps you have a privileged user that's changing roles and no longer needs certain commands after a certain date; you could use NOTAFTER at your convenience, then go in later and delete the rules at some point later. Similarly with NOTBEFORE for someone changing roles into one that is a more privileged.
answered 23 hours ago
Jeff Schaller♦Jeff Schaller
44.9k1164147
Support for the Date_Spec appears to have been added in version 1.8.20, with the Changelog indicating that it the code was changed by 2017-02-18:
Add NOTBEFORE and NOTAFTER command options similar to what is already available in LDAP.
The option does exactly as you guessed: restricts the corresponding rule to have a start and/or end date.
For example, I added this rule:
jeff2 ALL=(ALL) NOTBEFORE=20190409212700 /bin/ps
and then executed the following as jeff2:
$ sudo -l
# ... elided ...
User jeff2 may run the following commands on r2d2:
(ALL) /bin/ls
(ALL) NOTBEFORE=20190410012700Z /bin/ps
$ date -u '+%Y%m%d %H:%M:%S'
20190410 01:25:52
$ sudo /bin/ps
Sorry, user jeff2 is not allowed to execute '/bin/ps' as root on r2d2.
$ sleep 2m ## plus get distracted by something
$ date -u '+%Y%m%d %H:%M:%S'
20190410 01:29:33
$ sudo /bin/ps
PID TTY TIME CMD
9607 pts/1 00:00:00 ps
I can see a use-case for this where you want to grant temporary additional access (say for a specific application upgrade or change), but you don't want to have to remember to log in before and after that timeframe to update sudoers. Perhaps you have a privileged user that's changing roles and no longer needs certain commands after a certain date; you could use NOTAFTER at your convenience, then go in later and delete the rules at some point later. Similarly with NOTBEFORE for someone changing roles into one that is a more privileged.
answered 23 hours ago
Jeff Schaller♦Jeff Schaller
44.9k1164147
answered 23 hours ago
Jeff Schaller♦Jeff Schaller
44.9k1164147
answered 23 hours ago
Jeff Schaller♦Jeff Schaller
44.9k1164147
answered 23 hours ago
Jeff Schaller♦Jeff Schaller
44.9k1164147
44.9k1164147
Thanks, I'm also assuming you can do this to multiple commands? Likejeff2can't runpsafter Monday and he can't runpingafter Tuesday? I wonder why this is feature is not more popular. Seems like a handy thing. I need to read the man page more carefully and understand this better.
– eternaltyro
6 hours ago
Correct in your assumption; the Date_Spec is part of the Option_Spec which is part of the Cmnd_Spec, which is a comma-separated list of "commands", sopscould have a different Date_Spec thanping, for your example. I have not yet seen Date_Spec in the wild, myself, maybe because that feature is relatively new (in the non-LDAP world). In fact, I had to compile a newer version of sudo on that Debian "stable" VM in order to test my Answer.
– Jeff Schaller♦
6 hours ago
add a comment |
Thanks, I'm also assuming you can do this to multiple commands? Likejeff2can't runpsafter Monday and he can't runpingafter Tuesday? I wonder why this is feature is not more popular. Seems like a handy thing. I need to read the man page more carefully and understand this better.
– eternaltyro
6 hours ago
Correct in your assumption; the Date_Spec is part of the Option_Spec which is part of the Cmnd_Spec, which is a comma-separated list of "commands", sopscould have a different Date_Spec thanping, for your example. I have not yet seen Date_Spec in the wild, myself, maybe because that feature is relatively new (in the non-LDAP world). In fact, I had to compile a newer version of sudo on that Debian "stable" VM in order to test my Answer.
– Jeff Schaller♦
6 hours ago
Thanks, I'm also assuming you can do this to multiple commands? Like
jeff2 can't run ps after Monday and he can't run ping after Tuesday? I wonder why this is feature is not more popular. Seems like a handy thing. I need to read the man page more carefully and understand this better.– eternaltyro
6 hours ago
Thanks, I'm also assuming you can do this to multiple commands? Like
jeff2 can't run ps after Monday and he can't run ping after Tuesday? I wonder why this is feature is not more popular. Seems like a handy thing. I need to read the man page more carefully and understand this better.– eternaltyro
6 hours ago
Correct in your assumption; the Date_Spec is part of the Option_Spec which is part of the Cmnd_Spec, which is a comma-separated list of "commands", so
ps could have a different Date_Spec than ping, for your example. I have not yet seen Date_Spec in the wild, myself, maybe because that feature is relatively new (in the non-LDAP world). In fact, I had to compile a newer version of sudo on that Debian "stable" VM in order to test my Answer.– Jeff Schaller♦
6 hours ago
Correct in your assumption; the Date_Spec is part of the Option_Spec which is part of the Cmnd_Spec, which is a comma-separated list of "commands", so
ps could have a different Date_Spec than ping, for your example. I have not yet seen Date_Spec in the wild, myself, maybe because that feature is relatively new (in the non-LDAP world). In fact, I had to compile a newer version of sudo on that Debian "stable" VM in order to test my Answer.– Jeff Schaller♦
6 hours ago
add a comment |
eternaltyro is a new contributor. Be nice, and check out our Code of Conduct.
eternaltyro is a new contributor. Be nice, and check out our Code of Conduct.
eternaltyro is a new contributor. Be nice, and check out our Code of Conduct.
eternaltyro is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511542%2fwhat-is-date-spec-in-sudoers-policy%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
