sudo under a defined directory

Woo, April April.Woo at spirentcom.com
Mon Oct 7 09:51:06 EDT 2002


Robert,

This is what I have set up for our users. Per my tests below, I think I was
unable to lock the commands down to specific directories.

april ;-)

***********************************************************************
SUDOERS FILE #1:

Cmnd_Alias      RUN_BASIC =\                        
                                /usr/bin/export,\   
                                /usr/bin/ls,\       
                                /usr/bin/find,\     
                                /usr/bin/grep,\     
                                /usr/bin/ps,\       
                                /usr/bin/rm,\       
                                /usr/bin/vi,\       
                                /usr/bin/pwd,\      
                                /usr/bin/cd,\       
                                /usr/bin/cp         
Cmnd_Alias      RUN_EXTENDED =\                     
                                /usr/bin/chgrp,\    
                                /usr/bin/chown,\    
                                /usr/bin/chmod,\    
                                /usr/bin/mv         

jsmith                 testserv1=NOPASSWD:RUN_BASIC,\ 
                        RUN_EXTENDED,\                
                        /home/jsmith,\               
                        /usr/local/share/bin

************************************************************************
SIMPLE TEST #1:

# su - jsmith

         
<testserv1>: id

uid=8888(jsmith) gid=1(staff)   
                                                         
<testserv1>: chmod 777 /home/user1/.profile

chmod: /home/user1/.profile: The file access permissions do not allow the
specified action.
 

<testserv1>: ls -la

total 136

drwxr-xr-x   4 jsmith  staff        512 May 17 12:22 .

drwxr-xr-x 227 bin      bin         5632 Oct 07 08:31 ..

-rw-r--r--   1 jsmith  staff       7138 Jul 15 09:39 .profile

                             
<testserv1>: chmod 777 /home/jsmith/.profile        
                                      
<testserv1>: ls -la /home/jsmith/.profile

-rwxrwxrwx   1 jsmith  staff       7138 Jul 15 09:39 /home/jsmith/.profile


***********************************************************************

SUDOERS FILE #2:   (removed RUN_EXTENDED command list)

jsmith                 ganymede=NOPASSWD:RUN_BASIC,\
                        /home/jsmith,\              
                        /usr/local/share/bin  
       
SIMPLE TEST #2:

# su - jsmith

     
<testserv1>: id

uid=8888(jsmith) gid=1(staff)            
                                             
<testserv1>: chown 777 /home/jsmith/.profile

chown: /home/jsmith/.profile: Operation not permitted.      

************************************************************************


-----Original Message-----
From: meiemoehl at a1.net [mailto:meiemoehl at a1.net]
Sent: Sunday, October 06, 2002 8:16 AM
To: robert.gruber at inode.at
Subject: sudo under a defined directory


Hello!

How can I setup /etc/sudoers that a command like /bin/chmod can only work
with 
superuser rights within a specified directory?

My /etc/sudoers:
---
Host_Alias WWW = 192.168.0.1

# User alias specification

# Cmnd alias specification
Cmnd_Alias CHOWN = /bin/chown
Cmnd_Alias CHGRP = /bin/chgrp
Cmnd_Alias CHMOD = /bin/chmod

# User privilege specification
root    ALL=(ALL) ALL
user1 WWW = NOPASSWD: CHOWN, CHGRP
user2 WWW = NOPASSWD: CHOWN, CHGRP, CHMOD
---

Thank you for help!!

bye,
Robert

____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users



More information about the sudo-users mailing list