limiting commands to directories

Saxon, Lamar Lamar.Saxon at americredit.com
Wed Aug 28 10:31:59 EDT 2002


Can't you simply create a command alias like:

Cmnd_Alias      CHMOD=/usr/bin/chown userid /local/develop/*

Seems to work fine in my environment...

Lamar

-----Original Message-----
From: Matthew Hannigan [mailto:mlh at zip.com.au] 
Sent: Wednesday, August 28, 2002 8:25 AM
To: Clift Robert T CONT DLVA
Cc: 'sudo-users at sudo.ws'
Subject: Re: limiting commands to directories


Clift Robert T CONT DLVA wrote:
> All,
> 
> 	I want to be able to limit the directories where commands can be
> applied. In other words, I want my users to only be able to "chmod" in
> /local/develop. Thanks in advance,

Sudo doesn't do restrictions.

You could write a limited version of chmod, and only let them run
that, (hide/change permissions on the real chmod) but that still
wouldn't need the involvement of sudo.  And it would be a lot of
hard to maintain stuff.

And anyway, they could still write their own chmod command in C,
or perl, or python or ....it's not hard.

If you cared to restate your problem, maybe I could help a little
more.  What I think you might need is what's known as MAC --
mandatory access control, and that just doesn't come in any
standard commercial operating system.  There might be Linux
kernel modifications / modules to do it though.

Matt


____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 2881 bytes
Desc: not available
URL: </pipermail/sudo-users/attachments/20020828/2d65622f/attachment.bin>


More information about the sudo-users mailing list