[sudo-users] sudo locked down Cmnd alias

Richard van den Berg richard at vdberg.org
Fri Dec 17 06:55:45 EST 2010

On 17-12-10 09:23 , Brent Clark wrote:
> I have a client that has two users on our server. He would like to
> chown and chmod all files in his directory that are owned by www-data.
> Understandibilty, we are concerned about giving sudo access.
> Does anyone know if its possible to have a locked down Cmnd alias of
> chmod and chown.

For chown:

/usr/bin/chown john /home/john/*
!/usr/bin/chown john /home/john/*..*
!/usr/bin/chown john /home/john/* *

You can do something similar for chmod, but it depends on what they
need. For example:

/usr/bin/chmod g+r,o+r /home/john/*
!/usr/bin/chmod g+r,o+r /home/john/*..*
!/usr/bin/chmod g+r,o+r /home/john/* *

Be careful. A combination of sudo's for chmod and chown set too widely
can easily lead to a root shell.



More information about the sudo-users mailing list