[sudo-users] sudo locked down Cmnd alias

Matthew Hannigan mlh at zip.com.au
Sun Dec 19 18:38:49 EST 2010

On Fri, Dec 17, 2010 at 12:55:45PM +0100, Richard van den Berg wrote:
> On 17-12-10 09:23 , Brent Clark wrote:
> > I have a client that has two users on our server. He would like to
> > chown and chmod all files in his directory that are owned by www-data.
> >
> > Understandibilty, we are concerned about giving sudo access.
> >
> > Does anyone know if its possible to have a locked down Cmnd alias of
> > chmod and chown.
> For chown:
> /usr/bin/chown john /home/john/*

This one is a bad security hole.  You should always use -h with chown/chgrp.
Imagine a link to say /etc/passwd or /etc/shadow in /home/john.

> !/usr/bin/chown john /home/john/*..*
> !/usr/bin/chown john /home/john/* *

Exclusions are usually a mistake.  I'd just do

    /usr/bin/chown -hR john /home/john

Nothing is under the user's control.


More information about the sudo-users mailing list