sudo under a defined directory
Allan.Marillier at dana.com
Allan.Marillier at dana.com
Mon Oct 7 12:02:34 EDT 2002
This following for me, and if I remember correctly, is based on suggestions
other people gave in this list for similar needs.
Now watch somebody come and show me that what I'm doing is dangerous!
I have a number of command aliases, among them:
Cmnd_Alias ADMINPERM = /usr/bin/chown * /etc/*, /usr/bin/chown *
/sbin/*, \
/usr/bin/chown * /bin/*, /usr/bin/chown * /var/*,
\
/usr/bin/chown * /usr/*, \
/usr/bin/chmod * /etc/*, /usr/bin/chmod *
/sbin/*, \
/usr/bin/chmod * /bin/*, /usr/bin/chmod * /var/*,
\
/usr/bin/chmod * /usr/*
And then this allows users to use chown, chmod etc, but prevents them from
doing it in nay of the directories listed above.
PDMALL ALL = ALL, !SU, !SHELLS, !SAM, !PASSWD, !VISUDO, !MC, \
!ADMINVI, !ADMINCP, !ADMINRM, !ADMINPERM, HOSTS
Using this as a model, it should be possible to list specific directories
where it CAN be done, so that in all other directories it can NOT be done.
"Woo, April"
<April.Woo at spire To: "'meiemoehl at a1.net'" <meiemoehl at a1.net>
ntcom.com> cc: sudo-users at sudo.ws
Sent by: Subject: RE: sudo under a defined directory
sudo-users-admin
@sudo.ws
10/07/2002 09:51
AM
Robert,
This is what I have set up for our users. Per my tests below, I think I was
unable to lock the commands down to specific directories.
april ;-)
***********************************************************************
SUDOERS FILE #1:
Cmnd_Alias RUN_BASIC =\
/usr/bin/export,\
/usr/bin/ls,\
/usr/bin/find,\
/usr/bin/grep,\
/usr/bin/ps,\
/usr/bin/rm,\
/usr/bin/vi,\
/usr/bin/pwd,\
/usr/bin/cd,\
/usr/bin/cp
Cmnd_Alias RUN_EXTENDED =\
/usr/bin/chgrp,\
/usr/bin/chown,\
/usr/bin/chmod,\
/usr/bin/mv
jsmith testserv1=NOPASSWD:RUN_BASIC,\
RUN_EXTENDED,\
/home/jsmith,\
/usr/local/share/bin
************************************************************************
SIMPLE TEST #1:
# su - jsmith
<testserv1>: id
uid=8888(jsmith) gid=1(staff)
<testserv1>: chmod 777 /home/user1/.profile
chmod: /home/user1/.profile: The file access permissions do not allow the
specified action.
<testserv1>: ls -la
total 136
drwxr-xr-x 4 jsmith staff 512 May 17 12:22 .
drwxr-xr-x 227 bin bin 5632 Oct 07 08:31 ..
-rw-r--r-- 1 jsmith staff 7138 Jul 15 09:39 .profile
<testserv1>: chmod 777 /home/jsmith/.profile
<testserv1>: ls -la /home/jsmith/.profile
-rwxrwxrwx 1 jsmith staff 7138 Jul 15 09:39 /home/jsmith/.profile
***********************************************************************
SUDOERS FILE #2: (removed RUN_EXTENDED command list)
jsmith ganymede=NOPASSWD:RUN_BASIC,\
/home/jsmith,\
/usr/local/share/bin
SIMPLE TEST #2:
# su - jsmith
<testserv1>: id
uid=8888(jsmith) gid=1(staff)
<testserv1>: chown 777 /home/jsmith/.profile
chown: /home/jsmith/.profile: Operation not permitted.
************************************************************************
-----Original Message-----
From: meiemoehl at a1.net [mailto:meiemoehl at a1.net]
Sent: Sunday, October 06, 2002 8:16 AM
To: robert.gruber at inode.at
Subject: sudo under a defined directory
Hello!
How can I setup /etc/sudoers that a command like /bin/chmod can only work
with
superuser rights within a specified directory?
My /etc/sudoers:
---
Host_Alias WWW = 192.168.0.1
# User alias specification
# Cmnd alias specification
Cmnd_Alias CHOWN = /bin/chown
Cmnd_Alias CHGRP = /bin/chgrp
Cmnd_Alias CHMOD = /bin/chmod
# User privilege specification
root ALL=(ALL) ALL
user1 WWW = NOPASSWD: CHOWN, CHGRP
user2 WWW = NOPASSWD: CHOWN, CHGRP, CHMOD
---
Thank you for help!!
bye,
Robert
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list