[sudo-users] sudo-users Digest, Vol 96, Issue 8
Alexandre Lucas
alexandremlucas at gmail.com
Fri Dec 17 18:03:41 EST 2010
Besides the information from the previous comment, maybe, it would be
interesting restrict chmod with the helping of regex:
/usr/bin/chmod [0-7][0-7][0-7] /home/john/*
!/usr/bin/chmod [0-7][0-7][0-7] /home/john/*..*
!/usr/bin/chmod [0-7][0-7][0-7] /home/john/* *
Cause special permissions arent a good idea for security :)
Another important thing, ask to your client how many levels of dirs he/she
needs to execute with these cmnds, so, you can set it up:
/usr/bin/chmod [0-7][0-7][0-7] /home/john/*
/usr/bin/chmod [0-7][0-7][0-7] /home/john/*/*
/usr/bin/chmod [0-7][0-7][0-7] /home/john/*/*/*
!/usr/bin/chmod [0-7][0-7][0-7] /home/john/*..*
!/usr/bin/chmod [0-7][0-7][0-7] /home/john/* *
atenciosamente,
Alexandre M. Lucas
2010/12/17 <sudo-users-request at courtesan.com>
> Send sudo-users mailing list submissions to
> sudo-users at sudo.ws
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www.sudo.ws/mailman/listinfo/sudo-users
> or, via email, send a message with subject or body 'help' to
> sudo-users-request at sudo.ws
>
> You can reach the person managing the list at
> sudo-users-owner at sudo.ws
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sudo-users digest..."
>
>
> Today's Topics:
>
> 1. sudo locked down Cmnd alias (Brent Clark)
> 2. Re: sudo locked down Cmnd alias (Richard van den Berg)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 17 Dec 2010 10:23:11 +0200
> From: Brent Clark <brentgclarklist at gmail.com>
> To: sudo-users at sudo.ws
> Subject: [sudo-users] sudo locked down Cmnd alias
> Message-ID:
> <AANLkTikDXtQD7Mv6paT2T1mFCCm1JFcRHXi9b+viiPzF at mail.gmail.com<AANLkTikDXtQD7Mv6paT2T1mFCCm1JFcRHXi9b%2BviiPzF at mail.gmail.com>
> >
> Content-Type: text/plain; charset=UTF-8
>
> Hiya
>
> I have a client that has two users on our server. He would like to
> chown and chmod all files in his directory that are owned by www-data.
>
> Understandibilty, we are concerned about giving sudo access.
>
> Does anyone know if its possible to have a locked down Cmnd alias of
> chmod and chown.
>
> If anyone can help. It would be appreciated.
>
> Kind Regards
> Brent Clark
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 17 Dec 2010 12:55:45 +0100
> From: Richard van den Berg <richard at vdberg.org>
> To: Brent Clark <brentgclarklist at gmail.com>
> Cc: sudo-users at sudo.ws
> Subject: Re: [sudo-users] sudo locked down Cmnd alias
> Message-ID: <4D0B4FC1.9060708 at vdberg.org>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 17-12-10 09:23 , Brent Clark wrote:
> > I have a client that has two users on our server. He would like to
> > chown and chmod all files in his directory that are owned by www-data.
> >
> > Understandibilty, we are concerned about giving sudo access.
> >
> > Does anyone know if its possible to have a locked down Cmnd alias of
> > chmod and chown.
>
> For chown:
>
> /usr/bin/chown john /home/john/*
> !/usr/bin/chown john /home/john/*..*
> !/usr/bin/chown john /home/john/* *
>
> You can do something similar for chmod, but it depends on what they
> need. For example:
>
> /usr/bin/chmod g+r,o+r /home/john/*
> !/usr/bin/chmod g+r,o+r /home/john/*..*
> !/usr/bin/chmod g+r,o+r /home/john/* *
>
> Be careful. A combination of sudo's for chmod and chown set too widely
> can easily lead to a root shell.
>
> Cheers,
>
> Richard
>
>
> ------------------------------
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
> End of sudo-users Digest, Vol 96, Issue 8
> *****************************************
>
More information about the sudo-users
mailing list