[sudo-users] Allow the dir creation to one level only

Dempsey, Steve AZ steve.az.dempsey at intel.com
Wed Apr 13 10:13:34 EDT 2011 

You may try a combination permit/deny rule such as:



user  ALL=(root) /bin/mkdir /data/*, !/bin/mkdir /data/*/*



This worked in a simple test:



host> sudo -l

Authenticate with steved99's password:

User steved99 may run the following commands on this host:

    (root) /bin/mkdir /opt/*, (root) !/bin/mkdir /opt/*/*

host> sudo mkdir /opt/newdir

host> sudo mkdir /opt/newdir/subdir

Sorry, user steved99 is not allowed to execute '/bin/mkdir /opt/newdir/subdir' as root on host.



-Steve



-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Moisés Barba Pérez
Sent: Wednesday, April 13, 2011 5:36 AM
To: Jon Seymour
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Allow the dir creation to one level only



That would be a very good solution if the server was only for me. This

server is integrated with LDAP and I can't inform all users about a script

to exec a specific command.



Somebody has any idea about how to workaround this problem????



2011/4/13 Jon Seymour <jon.seymour at gmail.com>



> On Wed, Apr 13, 2011 at 5:27 PM, Moisés Barba Pérez <mbarperoi at gmail.com>

> wrote:

> > Hi:

> >

> >   I would like to create a rule in sudoers file to allow an user the

> mkdir

> > comand. I'm looking for the way to limit the dir creation to one level,

> for

> > example:

> >

> > 1. The user can create a dir in /data: sudo mkdir /data/user

> > 2. The user *can't* create a subdir un /data: sudo mkdir /data/user/mydir

> (I

> > want to avoid this)

> >

>

> I think a better way to approach this problem is to define a script

> that implements your policy and then use sudo to provide access to

> this script. You should be free to implement what ever policy you want

> in the script without be constrained by the capabilities or otherwise

> of the sudo rules language.

>

> jon.

>

____________________________________________________________

sudo-users mailing list <sudo-users at sudo.ws>

For list information, options, or to unsubscribe, visit:

http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list