[sudo-users] Restrict commands to a specific directory tree

[Patrick Spinler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


That's quite tough to do securely.  Think about the consequences of soft
and hard links, bind mounts, and being able to chown an suid executable
to a privileged user, as just a few issues.

Ergo, there's no general solution for this, as far as I know.

What I've done is written a set of very limited functionality wrapper
programs wherein I resolve symlinks *then* check against allowed paths,
only allow setting ownership to a very limited set of users, only allow
setting perms when owned by one of those limited set of users, etc.
Further, I'm very careful to always set the limited set of allowed
directories to be rooted in it's own filesystem to avoid the hardlink
issues.

Even with this, I'm still pretty paranoid about it, and rarely enable
these for people.  I'm certain I'll still have missed some security issues.

Lesson is: security is hard, and chown and chmod are two of the worst to
get right.

- -- Pat

KENNEY, William P. (Info. Tech. Services) wrote:
> Hello,
> 
>  
> 
> I would like to give some privileges to a small group of users that will
> allow them to modify files and sub-directories in a specific directory
> tree on my server, and nowhere else.
> 
>  
> 
> The commands are chown and chmod.
> 
>  
> 
> After reading the documentation and searching the archives I can't seem
> to find what I need.
> 
>  
> 
> TIA,
> 
>  
> 
> Bill
> 
>  
> 
> ____________________________________________________________ 
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknqExoACgkQNObCqA8uBsyrZgCfYlc+xAsaYXBYSweoQh6dZycY
l3kAoJzfE73SQurnfJQkYpmBlsGUduzD
=f3a7
-----END PGP SIGNATURE-----