Insert a Sudo Command

Matching criteria is case sensitive.

  1. Select the Application Group you want to add the sudo command to.
  2. Right-click and select Insert Application > Sudo Command.
  3. Enter a File or Folder Name, or click Template to choose a template.
  4. Enter a description or accept the default and click Next. You can leave the Description blank to match on all sudo commands.
  5. You can leave the Description blank to match on all sudo commands.
  6. You must configure the matching criteria for the sudo command. You can configure:
    • File or Folder Name Matches
    • File Hash (SHA-1 Fingerprint)
    • Command Line Arguments
    • Publisher Matches
    • Parent Process Matches
  7. Click Finish. The sudo command is added to the Application Group.

Sudo Switches

Privilege Management for Mac supports running sudo commands with the following switches:

  • -b, --background
  • -e, --edit
  • -i, --login
  • -S, --stdin
  • -s, --shell
  • -V, --version

When a sudo command is run, Privilege Management for Mac ignores any switches that have been used and will match the rest of the command against the application definition. If Privilege Management for Mac matches against a rule that allows execution, the sudo command runs with any supported switches that were used. Any switches that are not supported by Privilege Management for Mac are ignored.

If Privilege Management for Mac matches on a passive rule or doesn't match any rules, then the sudo command runs with any supported or unsupported switches that have been used.

Th -e switch requires configuration in Privilege Management for Mac for it to be supported. For more information, please see Edit -e Switch.

The -l --list switch, which lists the commands the user is allowed to run, does not take into account the commands that are restricted by Privilege Management for Mac.

Edit -e Switch

The -e --edit switch, also known as sudoedit, allows the user to edit one or more files using their preferred text editor. The text editor is defined by setting the SUDO_EDIT, VISUAL, or EDITOR environment variable in the user's Terminal session. Otherwise, the default editor, Vim, is used. To configure your policy to support the -e switch, you must set up a sudo command Application Rule so that:

  • The File or Folder Name definition is set to sudoedit with the Perform Match Using set to Exact Match.
  • The Command Line Arguments definition is set to the path of the files you want to control using this rule.

An image example Application Definition configuration supporting the sudo command sudo -e /etc/hosts.

For example, the application definition shown in the following screenshot supports the sudo command sudo -e /etc/hosts.

 

The audit log will show an application of /usr/bin/sudo and the command line arguments will have -e prepended to them.