[sudo-users] Restrict commands to a specific directory tree

Patrick Spinler spinler.patrick at mayo.edu
Sat Apr 18 13:51:22 EDT 2009

Hash: SHA1

That's quite tough to do securely.  Think about the consequences of soft
and hard links, bind mounts, and being able to chown an suid executable
to a privileged user, as just a few issues.

Ergo, there's no general solution for this, as far as I know.

What I've done is written a set of very limited functionality wrapper
programs wherein I resolve symlinks *then* check against allowed paths,
only allow setting ownership to a very limited set of users, only allow
setting perms when owned by one of those limited set of users, etc.
Further, I'm very careful to always set the limited set of allowed
directories to be rooted in it's own filesystem to avoid the hardlink

Even with this, I'm still pretty paranoid about it, and rarely enable
these for people.  I'm certain I'll still have missed some security issues.

Lesson is: security is hard, and chown and chmod are two of the worst to
get right.

- -- Pat

KENNEY, William P. (Info. Tech. Services) wrote:
> Hello,
> I would like to give some privileges to a small group of users that will
> allow them to modify files and sub-directories in a specific directory
> tree on my server, and nowhere else.
> The commands are chown and chmod.
> After reading the documentation and searching the archives I can't seem
> to find what I need.
> TIA,
> Bill
> ____________________________________________________________ 
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the sudo-users mailing list