> > I allow read-access to all of /var/log. However, I also allow read > > access to /etc/shadow: > > > > /usr/bin/tail /var/log/../../etc/shadow > > > > does work. How can I best restrict that? I've tried > > > /usr/bin/tail/[^.]* /usr/bin/tail /var/log/[^.]* will prevent sudo tail /var/log/../../etc/shadow but not sudo tail /var/log/apache/../../../etc/shadow :-( I have no better idea. Stony