Wrapper script to limit use of command to a directory?

AdrianSingh at HBOSplc.com AdrianSingh at HBOSplc.com
Thu Feb 20 04:25:41 EST 2003 

Gael,

I've already done one for chown, try this for starters


#<------------------------------------->8 cut
#!/bin/ksh
#
# safe chown
#
# for use with sudo, check chown command against a list
# of allowed users and path names
#
# Adrian Singh <ade at solarisguru.com>
# for HBOS PLC Sep 2002


trap "print caught signal;exit 2" INT HUP TERM
IFS="
"
PATH=/usr/bin
export IFS PATH
umask 077

USAGE="Usage: schown [-R] username file ..."

################################################################################
################### Specify allowed users and paths here #######################
################################################################################

allowed_users="oraPLAY appPLAY oraGOLD appGOLD oraTRN1 appTRN1 \
               oraFIN01 oraFIN03 oraFIN04 oraFIN05 oraFIN06 appFIN01 \
               appFIN03 appFIN04 appFIN05 appFIN06 oraCONV appCONV \
               oraPATCH appPATCH oraSYS appSYS oraIFACE ost appIFCE1 \
               appIFCE2 appIFCE3 oraDEV11 appDEV11 oraDEV12 appDEV12 \
               oracle apache"


allowed_paths="/u01 /u02 /u03 /u04 /u05 /u06 /u07 /u08 /u09 /u10 \
              /u11 /u12 /u13 /u14 /opt/patches \
              /opt/freeware/apache/share/htdocs \
              /tmp /usr/tmp"

################################################################################
################################################################################
################################################################################


# process command line vars
while getopts R opt
do
   case $opt in
        R)   RFLAG=R;;
       \?)   echo $USAGE;exit 2;;
   esac
done

shift $(($OPTIND - 1))

# check we still have args on the command line
[[ $# -lt 2 ]] && { echo $USAGE; exit 2; }

# first arg is the user:group spec
user_grp_spec=$1

shift

# check if user spec is allowed
if [[ $user_grp_spec = *:* ]]
then
    print -u2 "schown: $user_grp_spec: ERROR not allowed to change group"
    exit 2
fi


for allowed_user in $allowed_users
do
    if [[ $allowed_user = $user_grp_spec ]]
    then
        user_ok=true
        break
    fi
done

if [[ "$user_ok" != true ]]
then
    print -u2 "schown: $user_grp_spec: user not allowed"
    exit 2
fi


# check if file spec is allowed, one at a time
while [ -n "$1" ]
do
    path_ok=false
    if [[ $1 != /* ]]
    then
        print -u2 "schown: $1 : ERROR not absolute path"
        shift
        continue
    fi

    if [[ $1 = *..* ]]
    then
        print -u2 "schown: $1 : \"..\" not allowed in path"
        shift
        continue
    fi

    for allowed_path in $allowed_paths
    do
        if [[ $1 = ${allowed_path}* ]]
        then
            # run chown with "-h" to stop sym link attacks
            print running chown -h$RFLAG $user_grp_spec $1
            chown -h$RFLAG $user_grp_spec $1
            path_ok=true
            break
        fi
    done

    if [[ $path_ok = false ]]
    then
        print -u2 "schown: $1: path not allowed"
    fi
    shift
done
#<-------------------->8 cut

Adrian Singh
Service Management - Security Operations, Unix
Service Delivery
Group Technology
HBOS PLC
Post: PY/E1/ITSM/SO/AS 
Direct Dial: 0113 235 3453
Ext: 53453



-----Original Message-----
From: Gael Lams [mailto:g_lams at yahoo.com]
Sent: 20 February 2003 09:18
To: sudo-users at sudo.ws
Subject: Wrapper script to limit use of command to a directory?


Hi,

I'm trying to limiting the use of 4 commands in one
directory, let's say /usr/local/dirA
I discovered yesterday that globbing doesn't work and
that I need to use pattern matching.
I've tried to use it, for instance,
-for the "chmod" command, I've written on my sudoers:
/bin/chmod .+ /usr/local/dirA/.+
and for the "cp" command:
/bin/cp .+ /usr/local/dirA/.+

I ve tried also with .*, but it doesn't work (user not
allowed) even if, as far as I know, .* should match
any string, shouldn't it?

Last question:
I read in this mailing list that it would be better
not to use pattern matching in sudoers, instead use
wrapper script, but I don't really know how to do it,
where to start.

Any help would be greatly appreciated

Have a nice day all

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users


-- 

------------------------------------------------------------------------------
HBOS plc, Registered in Scotland No. SC218813. Registered Office: The Mound, Edinburgh EH1 1YZ. HBOS plc is a holding company, subsidiaries of which are regulated by the Financial Services Authority.

==============================================================================

More information about the sudo-users mailing list