[sudo-users] Restrict commands to a specific directory tree
spinler.patrick at mayo.edu
Sat Apr 18 13:51:22 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
That's quite tough to do securely. Think about the consequences of soft
and hard links, bind mounts, and being able to chown an suid executable
to a privileged user, as just a few issues.
Ergo, there's no general solution for this, as far as I know.
What I've done is written a set of very limited functionality wrapper
programs wherein I resolve symlinks *then* check against allowed paths,
only allow setting ownership to a very limited set of users, only allow
setting perms when owned by one of those limited set of users, etc.
Further, I'm very careful to always set the limited set of allowed
directories to be rooted in it's own filesystem to avoid the hardlink
Even with this, I'm still pretty paranoid about it, and rarely enable
these for people. I'm certain I'll still have missed some security issues.
Lesson is: security is hard, and chown and chmod are two of the worst to
- -- Pat
KENNEY, William P. (Info. Tech. Services) wrote:
> I would like to give some privileges to a small group of users that will
> allow them to modify files and sub-directories in a specific directory
> tree on my server, and nowhere else.
> The commands are chown and chmod.
> After reading the documentation and searching the archives I can't seem
> to find what I need.
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the sudo-users