[sudo-users] Restricting the execution of commands to a specific directory tree?

[Patrick Spinler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anna Jones wrote:
> Hi All,
> 
> I need to configure a user called web to execute the following commands "rm, chmod, chgrp" on the specific directory tree "/usr/local/apache2/htdocs" using sudo.  I don't want web to be able to use these commands on any other system directories.  Does any one know how to configure this with visudo?
> 
> Thank you for you support.
> Please reply to all so I can get this at work.
> 
> Anna

For what it's worth - I did something similar for chown and chmod.  I
did not attempt to get the generic commands "chown" and "chmod" to work.
 There's a fundimental problem - if someone can chmod or chown arbitrary
files / owners and permissions, even in a limited directory tree, then
cracking root on the machine is as simple as:

  cp /bin/sh my_directory_path
  chown root my_directory_path/sh
  chmod u+s my_directory_path/sh
  my_directory_path/sh

It gets even worse when you begin considering things like symlinks in
your directory tree pointing to utilities like /bin/sh.

Instead, I wrote somewhat more secure replacements in Perl running in
taint mode, which limited the users and groups that could be chown'd to
and from, and limited the directory tree that this could be done in
(processing for symlinks and the like, also).

Then, I allowed specified users to use sudo to invoke these perl scripts.

If you'd like, I can send you a copy of my chown and chmod scripts.

- -- Pat

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJjFhUNObCqA8uBswRApU4AJ9s/GLhajUZjkqToXza89zoHLV7sgCeK9+1
2Y4KPE2mr3TZPpUAFCItsLE=
=e9IC
-----END PGP SIGNATURE-----