[sudo-users] Allow the dir creation to one level only
Dempsey, Steve AZ
steve.az.dempsey at intel.com
Wed Apr 13 10:13:34 EDT 2011
You may try a combination permit/deny rule such as:
user ALL=(root) /bin/mkdir /data/*, !/bin/mkdir /data/*/*
This worked in a simple test:
host> sudo -l
Authenticate with steved99's password:
User steved99 may run the following commands on this host:
(root) /bin/mkdir /opt/*, (root) !/bin/mkdir /opt/*/*
host> sudo mkdir /opt/newdir
host> sudo mkdir /opt/newdir/subdir
Sorry, user steved99 is not allowed to execute '/bin/mkdir /opt/newdir/subdir' as root on host.
-Steve
-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Moisés Barba Pérez
Sent: Wednesday, April 13, 2011 5:36 AM
To: Jon Seymour
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Allow the dir creation to one level only
That would be a very good solution if the server was only for me. This
server is integrated with LDAP and I can't inform all users about a script
to exec a specific command.
Somebody has any idea about how to workaround this problem????
2011/4/13 Jon Seymour <jon.seymour at gmail.com>
> On Wed, Apr 13, 2011 at 5:27 PM, Moisés Barba Pérez <mbarperoi at gmail.com>
> wrote:
> > Hi:
> >
> > I would like to create a rule in sudoers file to allow an user the
> mkdir
> > comand. I'm looking for the way to limit the dir creation to one level,
> for
> > example:
> >
> > 1. The user can create a dir in /data: sudo mkdir /data/user
> > 2. The user *can't* create a subdir un /data: sudo mkdir /data/user/mydir
> (I
> > want to avoid this)
> >
>
> I think a better way to approach this problem is to define a script
> that implements your policy and then use sudo to provide access to
> this script. You should be free to implement what ever policy you want
> in the script without be constrained by the capabilities or otherwise
> of the sudo rules language.
>
> jon.
>
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list