[sudo-users] restricting command to certain directory
Jiri Vitek
j.vitek at funlife.cz
Thu Jun 23 12:08:22 EDT 2011
Hello everybody
I have problem with limiting chown command to concrete directory. My
actual config in sudoers is following:
User_Alias DEVELOPERS = funlife
Cmnd_Alias WWW_PERMISSIONS = /bin/chown funlife\:apache /home/www/*
DEVELOPERS monika=WWW_PERMISSIONS
It's working fine and as i await. But there is one problem, i don't know
how to restrict not using ../ in path. For example this command is
"validated" with sudo as well:
sudo chown funlife:apache /home/www/../../bin/*
and will allow owner change in bin directory or others..
I understood that sudo don't know anything about what i'm specifing in
WWW_PERMISSION alias. So it can't "translate" path to absolute form. But
is there any form of regexp what i can use in path to disallow "../"
from command? If not, are other ways do reach this behavior excepting
own wrapper script?
Thanks for your time. And sorry for my english.
Jiri Vitek
More information about the sudo-users
mailing list