I think you want to check out the "Parameter_List" or "Parameter" options in the sudoers. It is possible to block specific options using '!'* or -= . I've never used these, so I don't have first hand knowledge. From the manpage:
Code:
Parameters may be flags, integer values, strings, or lists. Flags are implicitly
boolean and can be turned off via the ‘!’ operator. Some integer, string and
list parameters may also be used in a boolean context to disable them. Values
may be enclosed in double quotes ("") when they contain multiple words. Special
characters may be escaped with a backslash (‘\’).
Lists have two additional assignment operators, += and -=. These operators are
used to add to and delete from a list respectively. It is not an error to use
the -= operator to remove an element that does not exist in a list.
Also,
Code:
Wildcards
sudo allows shell-style wildcards (aka meta or glob characters) to be used in
host names, path names and command line arguments in the sudoers file. Wildcard
matching is done via the glob(3) and fnmatch(3) functions as specified by IEEE
Std 1003.1 (“POSIX.1”).
* Matches any set of zero or more characters (including white space).
? Matches any single character (including white space).
[...] Matches any character in the specified range.
[!...] Matches any character not in the specified range.
\x For any character ‘x’, evaluates to ‘x’. This is used to escape spe‐
cial characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.
Note that these are not regular expressions. Unlike a regular expression there
is no way to match one or more characters within a range.
....
It goes on with examples and exceptions and caveats. Be very careful using the '*' wildcard, even at the end of a filename, since any other files can be added and will be provided access. There's a warning about this.
I always setup aliases for long commands just for me. For long commands that I want others to have, I create scripts and drop them into /usr/local/bin/ for everyone to have access.
I don't know if this is sufficient, but I hope it provides leads for testing. Just because something works, don't assume it won't allow things you don't want.
Bookmarks