[sudo-users] Offtopic: file permissions Re: Restrict commands to a specific directory tree

Patrick Spinler spinler.patrick at mayo.edu
Sun Apr 19 09:33:07 EDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robin Holt wrote:
> On Sat, Apr 18, 2009 at 11:23:14AM -0700, Russell Van Tassell wrote:
>> You'll most-likely need to script something like that, if you really
>> need repeated chown/chmod in a given tree... there's nothing native in
>> sudo to restrict a user to a directory structure.  If you really want to
>> use sudo for it, chances are a simple script or two can provide the
>> functionality you need (eg. one script that auto-fixes an entire tree,
>> another that works under a chroot'd environment and takes arguments,
>> etc).
>>
>> Note: generally you can get creative with un*x permissions (including
>> things like stick bits) to accomplish limited shared files or similar.
>> Most modern OSes also include things like ACLs these days, which go over
>> and above traditional un*x permissions.
> 
> XFS filesystem has ACLs.  I use them for exactly the above.  It is being
> included with most distros now as well and will be soon on RedHat
> Enterprise.
> 

Thankfully many modern linux filesystems nicely support ACL's now, with
the right mount options used:

http://linuxmafia.com/faq/VALinux-kb/acls.html

Just be aware that many standard backup utilities are ACL unaware.  Test
your own backup solution, and make sure you have something in place for
this.

We're investigating using cfengine rulesets as both our master ACL
repository, and since the rulesets are just plain text files, it would
give us backups for free.  See this for details:

http://www.cfengine.org/docs/cfengine-Reference.html#acl

- -- Pat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknrKBMACgkQNObCqA8uBsyqKQCfTVklHlwpyQlKYM+zPn8mQ4Ff
zh8An3srmivney14oePxenVWQeWseb1U
=Yvob
-----END PGP SIGNATURE-----



More information about the sudo-users mailing list