A DevOps engineer wants the user "dev1" to be able to run /usr/bin/make as root via sudo but must ensure that the command cannot start any additional processes (for example, a shell escape launched from within Makefiles). Which tag should be placed in the corresponding entry in /etc/sudoers to meet this security requirement?
The NOEXEC tag tells sudo to run the listed program with the no-exec wrapper enabled. For example, a sudoers entry might look like dev1 ALL = NOEXEC: /usr/bin/make. On modern Linux builds, sudo implements this through a seccomp filter or an LD_PRELOAD shim that blocks subsequent exec*() system calls from the invoked process. As a result, the program can perform its normal work but cannot spawn subshells or other helper commands-precisely what is needed to prevent shell escapes from make.
The other options do not achieve this:
NOPASSWD is a tag that only disables the password prompt.
SETENV is a tag that allows the user to preserve or set environment variables.
requiretty is a Defaults flag, not a command tag. It merely forces sudo to be executed from an interactive TTY and offers no protection against shell escapes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the NOEXEC tag in sudo?
Open an interactive chat with Bash
How does the NOEXEC tag prevent subprocesses from running?
Open an interactive chat with Bash
What are the differences between NOEXEC and NOPASSWD in sudo?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access