Mdthbs

Applying for mortgage when living together but only one will be on the mortgage

Why does Latex make a small adjustment when I change section color

Why does macOS create file mounts for each app?

How to structure presentation to avoid getting questions that will be answered later in the presentation?

Why are we moving in circles with a tandem kayak?

How to get Planck length in meters to 6 decimal places

How can flights operated by the same company have such different prices when marketed by another?

Applications of pure mathematics in operations research

How does the barbarian's bonus damage from Rage interact with two-weapon fighting?

What is the oxidation state of Mn in HMn(CO)5?

Word for giving preference to the oldest child

How to calculate points under the curve?

Avoiding Implicit Conversion in Constructor. Explicit keyword doesn't help here

What are these hats and the function of those wearing them? worn by the Russian imperial army at Borodino

How can a class have multiple methods without breaking the single responsibility principle

Best Ergonomic Design for a handheld ranged weapon

Should 2FA be enabled on service accounts?

My employer is refusing to give me the pay that was advertised after an internal job move

Prepare a user to perform an action before proceeding to the next step

how can I calculate confidence interval with small sample in R?

How does Asimov's second law deal with contradictory orders from different people?

Patio gate not at right angle to the house

What is my clock telling me to do?

Balancing Humanoid fantasy races: Elves

Specify command with quoted arguments in sudoers?

Allow user to run a command with arguments (which contains spaces)using sudo on GUI applicationsExecute shell script from php, as root user?proper configuration of visudo NOPASSWD for bash backup scriptHow to specify regular expression for command arguments in sudoersParallels on Mac - can no longer sudo within UbuntuHow to prevent the caller's shell from being used in sudoWhy do I still need to run shutdown as sudo after this?Sudo with password and append to file via SSHSUDO requiring ttyHow can you write to a file from the command line without using shell output redirection?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

1

The General Case

I'm trying to enable a user to run a sudo command (with arguments) without a password. I can get the NOPASSWD directive to work, but only when the arguments don't contain quotation marks.

For example, this works:

# /etc/sudoers.d/sample

%sudo   ALL=(ALL)  NOPASSWD: /bin/echo foo



$ sudo echo foo

foo

But this doesn't, because quotation marks are interpreted literally:

# /etc/sudoers.d/sample

%sudo   ALL=(ALL)  NOPASSWD: /bin/echo "foo"



$ sudo echo "foo"

[sudo] password for rlue:

$ sudo echo "foo"

"foo"

---

My Specific Case

This is the command I'm trying to allow:

$ sudo sh -c 'echo XHCI > /proc/acpi/wakeup'

I actually got it to work with the following unquoted command:

%sudo   ALL=(ALL)  NOPASSWD: /bin/sh -c echo XHCI > /proc/acpi/wakeup

But since it calls out to sh -c, and since I clearly don't understand precisely what's going on, I'd like to be extra explicit about what I'm allowing.

How can I specify quoting for command arguments in the sudoers file?

sudo arguments

share|improve this question

asked May 9 '18 at 3:02

Ryan LueRyan Lue

24411 silver badge1212 bronze badges

bumped to the homepage by Community♦ 33 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The sudoers man page says "If a Cmnd has associated command line arguments, then the arguments ... must match exactly those given by the user...", so you're already being "extra explicit" about what you're allowing.
  
  – dsstorefile1
  May 9 '18 at 3:16
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sure, but for example, mv this that the other is different from mv this that 'the other', and the unquoted syntax permits both. How can I be sure I haven't missed any edge cases?
  
  – Ryan Lue
  May 9 '18 at 3:32
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  If you're worried about edge cases, see serverfault.com/a/516002. Apparently, that is the "simple solution".
  
  – dsstorefile1
  May 9 '18 at 3:41
  

  
  
  
  

add a comment | 

1

The General Case

I'm trying to enable a user to run a sudo command (with arguments) without a password. I can get the NOPASSWD directive to work, but only when the arguments don't contain quotation marks.

For example, this works:

# /etc/sudoers.d/sample

%sudo   ALL=(ALL)  NOPASSWD: /bin/echo foo



$ sudo echo foo

foo

But this doesn't, because quotation marks are interpreted literally:

# /etc/sudoers.d/sample

%sudo   ALL=(ALL)  NOPASSWD: /bin/echo "foo"



$ sudo echo "foo"

[sudo] password for rlue:

$ sudo echo "foo"

"foo"

---

My Specific Case

This is the command I'm trying to allow:

$ sudo sh -c 'echo XHCI > /proc/acpi/wakeup'

I actually got it to work with the following unquoted command:

%sudo   ALL=(ALL)  NOPASSWD: /bin/sh -c echo XHCI > /proc/acpi/wakeup

But since it calls out to sh -c, and since I clearly don't understand precisely what's going on, I'd like to be extra explicit about what I'm allowing.

How can I specify quoting for command arguments in the sudoers file?

sudo arguments

share|improve this question

asked May 9 '18 at 3:02

Ryan LueRyan Lue

24411 silver badge1212 bronze badges

bumped to the homepage by Community♦ 33 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The sudoers man page says "If a Cmnd has associated command line arguments, then the arguments ... must match exactly those given by the user...", so you're already being "extra explicit" about what you're allowing.
  
  – dsstorefile1
  May 9 '18 at 3:16
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sure, but for example, mv this that the other is different from mv this that 'the other', and the unquoted syntax permits both. How can I be sure I haven't missed any edge cases?
  
  – Ryan Lue
  May 9 '18 at 3:32
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  If you're worried about edge cases, see serverfault.com/a/516002. Apparently, that is the "simple solution".
  
  – dsstorefile1
  May 9 '18 at 3:41
  

  
  
  
  

add a comment | 

The General Case

I'm trying to enable a user to run a sudo command (with arguments) without a password. I can get the NOPASSWD directive to work, but only when the arguments don't contain quotation marks.

For example, this works:

# /etc/sudoers.d/sample

%sudo   ALL=(ALL)  NOPASSWD: /bin/echo foo



$ sudo echo foo

foo

But this doesn't, because quotation marks are interpreted literally:

# /etc/sudoers.d/sample

%sudo   ALL=(ALL)  NOPASSWD: /bin/echo "foo"



$ sudo echo "foo"

[sudo] password for rlue:

$ sudo echo "foo"

"foo"

---

My Specific Case

This is the command I'm trying to allow:

$ sudo sh -c 'echo XHCI > /proc/acpi/wakeup'

I actually got it to work with the following unquoted command:

%sudo   ALL=(ALL)  NOPASSWD: /bin/sh -c echo XHCI > /proc/acpi/wakeup

But since it calls out to sh -c, and since I clearly don't understand precisely what's going on, I'd like to be extra explicit about what I'm allowing.

How can I specify quoting for command arguments in the sudoers file?

sudo arguments

share|improve this question

asked May 9 '18 at 3:02

Ryan LueRyan Lue

24411 silver badge1212 bronze badges

# /etc/sudoers.d/sample

%sudo   ALL=(ALL)  NOPASSWD: /bin/echo foo



$ sudo echo foo

foo

# /etc/sudoers.d/sample

%sudo   ALL=(ALL)  NOPASSWD: /bin/echo "foo"



$ sudo echo "foo"

[sudo] password for rlue:

$ sudo echo "foo"

"foo"

$ sudo sh -c 'echo XHCI > /proc/acpi/wakeup'

%sudo   ALL=(ALL)  NOPASSWD: /bin/sh -c echo XHCI > /proc/acpi/wakeup

share|improve this question

asked May 9 '18 at 3:02

Ryan LueRyan Lue

24411 silver badge1212 bronze badges

share|improve this question

asked May 9 '18 at 3:02

Ryan LueRyan Lue

24411 silver badge1212 bronze badges

asked May 9 '18 at 3:02

Ryan LueRyan Lue

24411 silver badge1212 bronze badges

asked May 9 '18 at 3:02

Ryan LueRyan Lue

24411 silver badge1212 bronze badges

1 Answer
1

active

oldest

votes

0

edit: Warning, it appears that sudo does not safely handle spaces in the command, so it is not safe to use sudo in this way. https://unix.stackexchange.com/a/279142/39281

Instead of using quotes in the sudoers file, you can escape spaces using backslash:

%sudo   ALL=(ALL)  NOPASSWD: /bin/sh -c echo XHCI > /proc/acpi/wakeup

You can still use it as follows, because the user's shell handles the quoted argument anyway:

sudo /bin/sh -c 'echo XHCI > /proc/acpi/wakeup'

You could also consider putting a complex command into a script, as suggested in a comment. https://serverfault.com/a/516002

share|improve this answer

edited May 9 '18 at 7:55

answered May 9 '18 at 6:40

Sam WatkinsSam Watkins

10566 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This appears semantically identical to not having backslashes (that is, the arguments can still be grouped with quotation marks in every possible arrangement).
  
  – Ryan Lue
  May 9 '18 at 7:03
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Someone commented: there's an other QA telling this is possibly unsafe: unix.stackexchange.com/questions/279125/… then removed their comment. But they were right, it is unsafe, seems like sudo is not safe to be used when there are spaces in the command name. Perhaps I am misusing it, or perhaps it is a rubbish insecure tool. If it is so easy to misuse, I suggest the latter.
  
  – Sam Watkins
  May 9 '18 at 7:53
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442671%2fspecify-command-with-quoted-arguments-in-sudoers%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

edit: Warning, it appears that sudo does not safely handle spaces in the command, so it is not safe to use sudo in this way. https://unix.stackexchange.com/a/279142/39281

Instead of using quotes in the sudoers file, you can escape spaces using backslash:

%sudo   ALL=(ALL)  NOPASSWD: /bin/sh -c echo XHCI > /proc/acpi/wakeup

You can still use it as follows, because the user's shell handles the quoted argument anyway:

sudo /bin/sh -c 'echo XHCI > /proc/acpi/wakeup'

You could also consider putting a complex command into a script, as suggested in a comment. https://serverfault.com/a/516002

share|improve this answer

edited May 9 '18 at 7:55

answered May 9 '18 at 6:40

Sam WatkinsSam Watkins

10566 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This appears semantically identical to not having backslashes (that is, the arguments can still be grouped with quotation marks in every possible arrangement).
  
  – Ryan Lue
  May 9 '18 at 7:03
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Someone commented: there's an other QA telling this is possibly unsafe: unix.stackexchange.com/questions/279125/… then removed their comment. But they were right, it is unsafe, seems like sudo is not safe to be used when there are spaces in the command name. Perhaps I am misusing it, or perhaps it is a rubbish insecure tool. If it is so easy to misuse, I suggest the latter.
  
  – Sam Watkins
  May 9 '18 at 7:53
  

  
  
  
  

add a comment | 

0

edit: Warning, it appears that sudo does not safely handle spaces in the command, so it is not safe to use sudo in this way. https://unix.stackexchange.com/a/279142/39281

Instead of using quotes in the sudoers file, you can escape spaces using backslash:

%sudo   ALL=(ALL)  NOPASSWD: /bin/sh -c echo XHCI > /proc/acpi/wakeup

You can still use it as follows, because the user's shell handles the quoted argument anyway:

sudo /bin/sh -c 'echo XHCI > /proc/acpi/wakeup'

You could also consider putting a complex command into a script, as suggested in a comment. https://serverfault.com/a/516002

share|improve this answer

edited May 9 '18 at 7:55

answered May 9 '18 at 6:40

Sam WatkinsSam Watkins

10566 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This appears semantically identical to not having backslashes (that is, the arguments can still be grouped with quotation marks in every possible arrangement).
  
  – Ryan Lue
  May 9 '18 at 7:03
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Someone commented: there's an other QA telling this is possibly unsafe: unix.stackexchange.com/questions/279125/… then removed their comment. But they were right, it is unsafe, seems like sudo is not safe to be used when there are spaces in the command name. Perhaps I am misusing it, or perhaps it is a rubbish insecure tool. If it is so easy to misuse, I suggest the latter.
  
  – Sam Watkins
  May 9 '18 at 7:53
  

  
  
  
  

add a comment | 

edit: Warning, it appears that sudo does not safely handle spaces in the command, so it is not safe to use sudo in this way. https://unix.stackexchange.com/a/279142/39281

Instead of using quotes in the sudoers file, you can escape spaces using backslash:

%sudo   ALL=(ALL)  NOPASSWD: /bin/sh -c echo XHCI > /proc/acpi/wakeup

You can still use it as follows, because the user's shell handles the quoted argument anyway:

sudo /bin/sh -c 'echo XHCI > /proc/acpi/wakeup'

You could also consider putting a complex command into a script, as suggested in a comment. https://serverfault.com/a/516002

share|improve this answer

edited May 9 '18 at 7:55

answered May 9 '18 at 6:40

Sam WatkinsSam Watkins

10566 bronze badges

%sudo   ALL=(ALL)  NOPASSWD: /bin/sh -c echo XHCI > /proc/acpi/wakeup

sudo /bin/sh -c 'echo XHCI > /proc/acpi/wakeup'

share|improve this answer

edited May 9 '18 at 7:55

answered May 9 '18 at 6:40

Sam WatkinsSam Watkins

10566 bronze badges

answered May 9 '18 at 6:40

Sam WatkinsSam Watkins

10566 bronze badges

answered May 9 '18 at 6:40

Sam WatkinsSam Watkins

10566 bronze badges