[sudo-users] restricting command to certain directory

Jiri Vitek j.vitek at funlife.cz
Thu Jun 23 12:08:22 EDT 2011

Hello everybody

I have problem with limiting chown command to concrete directory. My
actual config in sudoers is following:

User_Alias      DEVELOPERS = funlife
Cmnd_Alias	WWW_PERMISSIONS = /bin/chown funlife\:apache /home/www/*

It's working fine and as i await. But there is one problem, i don't know
how to restrict not using ../ in path. For example this command is
"validated" with sudo as well:

sudo chown funlife:apache /home/www/../../bin/*

and will allow owner change in bin directory or others..

I understood that sudo don't know anything about what i'm specifing in
WWW_PERMISSION alias. So it can't "translate" path to absolute form. But
is there any form of regexp what i can use in path to disallow "../"
from command? If not, are other ways do reach this behavior excepting
own wrapper script?

Thanks for your time. And sorry for my english.

Jiri Vitek

More information about the sudo-users mailing list