[sudo-users] sudo locked down Cmnd alias
Matthew Hannigan
mlh at zip.com.au
Sun Dec 19 18:38:49 EST 2010
On Fri, Dec 17, 2010 at 12:55:45PM +0100, Richard van den Berg wrote:
> On 17-12-10 09:23 , Brent Clark wrote:
> > I have a client that has two users on our server. He would like to
> > chown and chmod all files in his directory that are owned by www-data.
> >
> > Understandibilty, we are concerned about giving sudo access.
> >
> > Does anyone know if its possible to have a locked down Cmnd alias of
> > chmod and chown.
>
> For chown:
>
> /usr/bin/chown john /home/john/*
This one is a bad security hole. You should always use -h with chown/chgrp.
Imagine a link to say /etc/passwd or /etc/shadow in /home/john.
> !/usr/bin/chown john /home/john/*..*
> !/usr/bin/chown john /home/john/* *
Exclusions are usually a mistake. I'd just do
/usr/bin/chown -hR john /home/john
Nothing is under the user's control.
Matt
More information about the sudo-users
mailing list