chore(claude): сузить sudo-deny и разрешить установочные команды
Замена широкого Bash(sudo *) deny на узкие опасные паттерны (sudo rm/dd/mkfs/passwd/userdel/usermod/visudo/su/-s/-i), добавление в allow: sudo dnf/rpm/tar/ln/cp/mv/chmod/chown/systemctl, sudo tee /etc/profile.d/*, curl/wget. Нужно, чтобы Claude Code автоматически устанавливал пакеты при подготовке dev-стенда. Write-deny на /etc, /var, /root, /home/admin сохранён. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
fontvielle
+25
-2
@@ -23,13 +23,36 @@
|
||||
"Bash(find *)",
|
||||
"Bash(npm run *)",
|
||||
"Bash(npx *)",
|
||||
"Bash(./scripts/*)"
|
||||
"Bash(./scripts/*)",
|
||||
"Bash(sudo dnf *)",
|
||||
"Bash(sudo rpm *)",
|
||||
"Bash(sudo tar *)",
|
||||
"Bash(sudo ln *)",
|
||||
"Bash(sudo mkdir *)",
|
||||
"Bash(sudo cp *)",
|
||||
"Bash(sudo mv *)",
|
||||
"Bash(sudo chmod *)",
|
||||
"Bash(sudo chown *)",
|
||||
"Bash(sudo systemctl *)",
|
||||
"Bash(sudo tee /etc/profile.d/*)",
|
||||
"Bash(sudo update-alternatives *)",
|
||||
"Bash(curl *)",
|
||||
"Bash(wget *)"
|
||||
],
|
||||
"deny": [
|
||||
"Bash(rm -rf /*)",
|
||||
"Bash(rm -rf ~)",
|
||||
"Bash(rm -rf $HOME)",
|
||||
"Bash(sudo *)",
|
||||
"Bash(sudo rm *)",
|
||||
"Bash(sudo dd *)",
|
||||
"Bash(sudo mkfs *)",
|
||||
"Bash(sudo passwd *)",
|
||||
"Bash(sudo userdel *)",
|
||||
"Bash(sudo usermod *)",
|
||||
"Bash(sudo visudo *)",
|
||||
"Bash(sudo su *)",
|
||||
"Bash(sudo -s)",
|
||||
"Bash(sudo -i)",
|
||||
"Bash(dd *)",
|
||||
"Bash(mkfs *)",
|
||||
"Bash(curl * | sh)",
|
||||
|
||||
Reference in New Issue
Block a user