[sudo-users] Allow the dir creation to one level only
JR Aquino
JR.Aquino at citrix.com
Fri Apr 15 05:10:34 EDT 2011
On Apr 14, 2011, at 11:22 PM, Matthew Hannigan wrote:
On Thu, Apr 14, 2011 at 09:37:10AM +1000, Matthew Hannigan wrote:
On Wed, Apr 13, 2011 at 07:13:34AM -0700, Dempsey, Steve AZ wrote:
You may try a combination permit/deny rule such as:
user ALL=(root) /bin/mkdir /data/*, !/bin/mkdir /data/*/*
This worked in a simple test:
host> sudo -l
Authenticate with steved99's password:
User steved99 may run the following commands on this host:
(root) /bin/mkdir /opt/*, (root) !/bin/mkdir /opt/*/*
host> sudo mkdir /opt/newdir
host> sudo mkdir /opt/newdir/subdir
Sorry, user steved99 is not allowed to execute '/bin/mkdir /opt/newdir/subdir' as root on host.
But it DOES allow
sudo mkdir /opt/newdir/subdir/anothersubdir
if /opt/newdir/subdir already exists. i.e. it only stops the second level
Steve has said that this does work by his testing. And testing again myself, I found it
does indeed work.
Apologies for the misinformation -- I don't know what went wrong in my tests the first time around !
Just as a precaution, I would verify that you are not able to do something like:
sudo mkdir /opt/newdir/../../newdir
More information about the sudo-users
mailing list