[sudo-users] Restricting the execution of commands to a specific directory tree?
spinler.patrick at mayo.edu
Fri Feb 6 10:33:40 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Anna Jones wrote:
> Hi All,
> I need to configure a user called web to execute the following commands "rm, chmod, chgrp" on the specific directory tree "/usr/local/apache2/htdocs" using sudo. I don't want web to be able to use these commands on any other system directories. Does any one know how to configure this with visudo?
> Thank you for you support.
> Please reply to all so I can get this at work.
For what it's worth - I did something similar for chown and chmod. I
did not attempt to get the generic commands "chown" and "chmod" to work.
There's a fundimental problem - if someone can chmod or chown arbitrary
files / owners and permissions, even in a limited directory tree, then
cracking root on the machine is as simple as:
cp /bin/sh my_directory_path
chown root my_directory_path/sh
chmod u+s my_directory_path/sh
It gets even worse when you begin considering things like symlinks in
your directory tree pointing to utilities like /bin/sh.
Instead, I wrote somewhat more secure replacements in Perl running in
taint mode, which limited the users and groups that could be chown'd to
and from, and limited the directory tree that this could be done in
(processing for symlinks and the like, also).
Then, I allowed specified users to use sudo to invoke these perl scripts.
If you'd like, I can send you a copy of my chown and chmod scripts.
- -- Pat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the sudo-users