Okta Advanced Server Access (ASA) RAW sudo entitlements allow an admin to select specific commands that can be executed as sudo by assigned users. If any flags are required, the user will be prompted for a password.
For example, if raw sudo entitlement has been set like below to run any command from /bin on /tmp:
{
"command_type": "raw",
"command": "/bin/* /tmp/*",
"args_type": null,
"args": null,
"rendered_command": "/bin/* /tmp/*"
}
Users will get a password prompt when they execute the same with any flag:
exampleuser@hostname:~$ sudo /bin/ls -l /tmp/
[sudo] password for exampleuser:
- Okta Advanced Server Access (ASA)
- Sudo Entitlements
- Okta Classic Engine
- Okta Identity Engine (OIE)
Raw entitlements expect the same format from the command line and will prompt for a password if it does not match. Here, the format did not have a config to consider any flag between the command and the destination.
Update the entitlement to include flags. For the example referred in this article, the raw command will be:
/bin/* -* /tmp/*
NOTE: Since Raw entitlements expects the same format, using the above will not consider any command without flags, for example, sudo /bin/ls /tmp/ will get a password prompt.
