Need to allow a user to chown files under a particular directory using sudo. This does the trick:
user1 ALL= NOPASSWD: /bin/chown -[RPfchv] user2\:user2 /opt/some/path/[a-zA-Z0-9]*
But, does not prevent the user from being sneaky and doing something like:
[user1@rhel ~] sudo /bin/chown -v user2:user2 /opt/some/path/../../../etc/shadow
Any way to protect from this?
Machine is running Linux (Red Hat)
-
sudo introduces inherent security risks and it is generally ill advised to give to users that don't have high levels of trust.
Why not limit simply to recursive chown for the parent directory?
sudoers primarily uses globbing. According to the manpage, it doesn't match / on wildcards. More details in the manpage.
As far as a more advanced solution, a script should do the trick.
[root@server wmoore]# egrep '^wmoore' /etc/sudoers wmoore ALL= NOPASSWD: /bin/chown -[RPfchv] wmoore\:wmoore /home/wmoore/[a-zA-Z0-9]* [wmoore@server ~]$ sudo -l User wmoore may run the following commands on this host: (root) NOPASSWD: /bin/chown -[RPfchv] wmoore:wmoore /home/wmoore/[a-zA-Z0-9]* [wmoore@server ~]$ sudo chown -R wmoore:wmoore /home/wmoore/../../tmp/test Sorry, user wmoore is not allowed to execute '/bin/chown -R wmoore:wmoore /home/wmoore/../../tmp/test' as root on server.Oh, right. sudo package:
Name : sudo Relocations: (not relocatable) Version : 1.6.9p17 Vendor: CentOS Release : 3.el5_3.1 Build Date: Tue 24 Mar 2009 07:55:42 PM EDTCentOS5.
From Warner -
Try making a 'chroot replacement' script, which validates input before doing the chown() thing. Then add this script instead of /bin/chown to sudoers file. You may then set up 'chown' alias for users if that is needed.
On the other hand, are you sure your users need to do chown with root privileges? Maybe sgid or suid bits on the directories will solve your problem?
From Jacek Konieczny
0 comments:
Post a Comment