Insert a Sudo Command to an Application Group

Matching criteria is case sensitive.

  1. Select the Application Group you want to add the sudo command to.
  2. In the right pane, select Actions > Applications > Sudo Command.
  3. You need to configure the matching criteria for the sudo command. You can configure:
    • File or Folder Name matches
    • File Hash (SHA-1 Fingerprint) matches
    • Command Line Arguments
    • Publisher matches
    • Parent Process matches
  4. Click OK. The sudo command is added to the Application Group.

Sudo Switches

Privilege Management for Mac supports running sudo commands with the following switches:

  • -b, --background
  • -e, --edit: This switch needs to be configured in Privilege Management for Mac for it to be supported.
  • -i, --login
  • -S, --stdin
  • -s, --shell
  • -V, --version

When a sudo command is run, Privilege Management for Mac ignores any switches that have been used and will match the rest of the command against the application definition. If Privilege Management for Mac matches against a rule that allows execution, the sudo command runs with any supported switches that were used. Any switches that are not supported by Privilege Management for Mac are ignored.

If Privilege Management for Mac matches on a passive rule or doesn't match any rules, then the sudo command runs with any supported or unsupported switches that have been used.

The -l --list switch, which lists the commands that the user is allowed to run, does not take into account the commands that are restricted by Privilege Management for Mac.

Edit -e Switch

The -e --edit switch, also known as sudoedit, allows the user to edit one or more files using their preferred text editor. The text editor is defined by setting the SUDO_EDIT, VISUAL or EDITOR environment variable in their Terminal session. Otherwise, the default editor, Vim, is used. To configure your policy to support the -e switch, you need to set up a sudo command Application Rule so that:

  • The File or Folder Name definition is set to sudoedit with the Perform Match Using set to Exact Match
  • The Command Line Arguments definition is set to the path of the file(s) that you want to control using this rule

The selected application definition shown in the screenshot supports sudo.

The application definition shown in the screenshot supports the sudo command:
sudo -e /etc/hosts

 

The audit log shows an application of /usr/bin/sudo and the command line arguments have -e prepended to them.

For more information, please see Application Definitions in Privilege Management for Mac.