[sudo-users] restricting command to certain directory
j.vitek at funlife.cz
Thu Jun 23 12:08:22 EDT 2011
I have problem with limiting chown command to concrete directory. My
actual config in sudoers is following:
User_Alias DEVELOPERS = funlife
Cmnd_Alias WWW_PERMISSIONS = /bin/chown funlife\:apache /home/www/*
It's working fine and as i await. But there is one problem, i don't know
how to restrict not using ../ in path. For example this command is
"validated" with sudo as well:
sudo chown funlife:apache /home/www/../../bin/*
and will allow owner change in bin directory or others..
I understood that sudo don't know anything about what i'm specifing in
WWW_PERMISSION alias. So it can't "translate" path to absolute form. But
is there any form of regexp what i can use in path to disallow "../"
from command? If not, are other ways do reach this behavior excepting
own wrapper script?
Thanks for your time. And sorry for my english.
More information about the sudo-users