Wrapper script to limit use of command to a directory?
AdrianSingh at HBOSplc.com
AdrianSingh at HBOSplc.com
Thu Feb 20 04:25:41 EST 2003
Gael,
I've already done one for chown, try this for starters
#<------------------------------------->8 cut
#!/bin/ksh
#
# safe chown
#
# for use with sudo, check chown command against a list
# of allowed users and path names
#
# Adrian Singh <ade at solarisguru.com>
# for HBOS PLC Sep 2002
trap "print caught signal;exit 2" INT HUP TERM
IFS="
"
PATH=/usr/bin
export IFS PATH
umask 077
USAGE="Usage: schown [-R] username file ..."
################################################################################
################### Specify allowed users and paths here #######################
################################################################################
allowed_users="oraPLAY appPLAY oraGOLD appGOLD oraTRN1 appTRN1 \
oraFIN01 oraFIN03 oraFIN04 oraFIN05 oraFIN06 appFIN01 \
appFIN03 appFIN04 appFIN05 appFIN06 oraCONV appCONV \
oraPATCH appPATCH oraSYS appSYS oraIFACE ost appIFCE1 \
appIFCE2 appIFCE3 oraDEV11 appDEV11 oraDEV12 appDEV12 \
oracle apache"
allowed_paths="/u01 /u02 /u03 /u04 /u05 /u06 /u07 /u08 /u09 /u10 \
/u11 /u12 /u13 /u14 /opt/patches \
/opt/freeware/apache/share/htdocs \
/tmp /usr/tmp"
################################################################################
################################################################################
################################################################################
# process command line vars
while getopts R opt
do
case $opt in
R) RFLAG=R;;
\?) echo $USAGE;exit 2;;
esac
done
shift $(($OPTIND - 1))
# check we still have args on the command line
[[ $# -lt 2 ]] && { echo $USAGE; exit 2; }
# first arg is the user:group spec
user_grp_spec=$1
shift
# check if user spec is allowed
if [[ $user_grp_spec = *:* ]]
then
print -u2 "schown: $user_grp_spec: ERROR not allowed to change group"
exit 2
fi
for allowed_user in $allowed_users
do
if [[ $allowed_user = $user_grp_spec ]]
then
user_ok=true
break
fi
done
if [[ "$user_ok" != true ]]
then
print -u2 "schown: $user_grp_spec: user not allowed"
exit 2
fi
# check if file spec is allowed, one at a time
while [ -n "$1" ]
do
path_ok=false
if [[ $1 != /* ]]
then
print -u2 "schown: $1 : ERROR not absolute path"
shift
continue
fi
if [[ $1 = *..* ]]
then
print -u2 "schown: $1 : \"..\" not allowed in path"
shift
continue
fi
for allowed_path in $allowed_paths
do
if [[ $1 = ${allowed_path}* ]]
then
# run chown with "-h" to stop sym link attacks
print running chown -h$RFLAG $user_grp_spec $1
chown -h$RFLAG $user_grp_spec $1
path_ok=true
break
fi
done
if [[ $path_ok = false ]]
then
print -u2 "schown: $1: path not allowed"
fi
shift
done
#<-------------------->8 cut
Adrian Singh
Service Management - Security Operations, Unix
Service Delivery
Group Technology
HBOS PLC
Post: PY/E1/ITSM/SO/AS
Direct Dial: 0113 235 3453
Ext: 53453
-----Original Message-----
From: Gael Lams [mailto:g_lams at yahoo.com]
Sent: 20 February 2003 09:18
To: sudo-users at sudo.ws
Subject: Wrapper script to limit use of command to a directory?
Hi,
I'm trying to limiting the use of 4 commands in one
directory, let's say /usr/local/dirA
I discovered yesterday that globbing doesn't work and
that I need to use pattern matching.
I've tried to use it, for instance,
-for the "chmod" command, I've written on my sudoers:
/bin/chmod .+ /usr/local/dirA/.+
and for the "cp" command:
/bin/cp .+ /usr/local/dirA/.+
I ve tried also with .*, but it doesn't work (user not
allowed) even if, as far as I know, .* should match
any string, shouldn't it?
Last question:
I read in this mailing list that it would be better
not to use pattern matching in sudoers, instead use
wrapper script, but I don't really know how to do it,
where to start.
Any help would be greatly appreciated
Have a nice day all
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
--
------------------------------------------------------------------------------
HBOS plc, Registered in Scotland No. SC218813. Registered Office: The Mound, Edinburgh EH1 1YZ. HBOS plc is a holding company, subsidiaries of which are regulated by the Financial Services Authority.
==============================================================================
More information about the sudo-users
mailing list