[sudo-users] Restrict chmod, chown and chgrp to certain directories
Rigoberto Juarez
rjuarez at semtech.com
Tue Jun 3 17:02:36 MDT 2014
Thanks Steve,
As you mentioned deny is very difficult. I am new to complex sudoers configuration. Where can I find a helper script creation to integrate into sudo?
Regards.
-----Original Message-----
From: Dempsey, Steve AZ [mailto:steve.az.dempsey at intel.com]
Sent: martes, 03 de junio de 2014 12:47 p.m.
To: Rigoberto Juarez
Subject: RE: Restrict chmod, chown and chgrp to certain directories
This is more easily accomplished by using a helper script that regulates the options allowed for chown/chmod/chgrp.
Trying to express it in sudoers rule syntax with correct permit,deny is very difficult. Most attempts at 'deny'
type rules when controlling args are futile.
-Steve
-----Original Message-----
From: sudo-users [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Rigoberto Juarez
Sent: Tuesday, June 03, 2014 9:06 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] Restrict chmod, chown and chgrp to certain directories
Hi all,
I am trying to restrict the use of chmod, chown and chgrp to certain directory (Only such directory, no other should be enabled). I've been doing some test but it is not working properly.
Here are some approaches I have made with no luck:
1)
===============================================================
Cmnd_Alias DELEGATE = /bin/chown /eda/*, /bin/chown /eda/* *, !/bin/chown /eda/*..* Cmnd_Alias CHMOD = /bin/chmod /eda/*, /bin/chmod /eda/* *, !/bin/chmod /eda/*..* Cmnd_Alias CHGRP = /bin/chgrp /eda/*, /bin/chgrp /eda/* *, !/bin/chgrp /eda/*..*
%eda ALL=(ALL,ALL)DELEGATE, EDAMOD,EDAGRP ===============================================================
2)
===============================================================
Cmnd_Alias RUN_EXTENDED =\
/usr/bin/chgrp /eda/*,\
/usr/bin/chown /eda/*,\
/usr/bin/chmod /eda/*,\
/bin/chgrp /eda/*,\
/bin/chown /eda/*,\
/bin/chmod /eda/*
%eda ALL=(ALL,ALL)RUN_EXTENDED
===============================================================
3)
===============================================================
Cmnd_Alias EDAMOD = /bin/chmod [0-7][0-7][0-7] /eda/*, /bin/chmod [0-7][0-7][0-7] /eda/* *, !/bin/chmod [0-7][0-7][0-7] /eda/*..* Cmnd_Alias DELEGATE = /bin/chown -[RPfchv] [a-z]\:[a-z] /eda/*, /bin/chown -[RPfchv] [a-z]\:[a-z] /eda/* *, !/bin/chown -[RPfchv] [a-z]\:[a-z] /eda/*..* Cmnd_Alias EDAGRP = /bin/chgrp -[RPfchv] [a-z]\:[a-z] /eda/*, /bin/chgrp -[RPfchv] [a-z]\:[a-z] /eda/* *, !/bin/chgrp -[RPfchv] [a-z]\:[a-z] /eda/*..*
%eda ALL=(ALL,ALL)DELEGATE, EDAMOD,EDAGRP ===============================================================
Do you any idea or example to accomplish this task?
Regards.
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws> For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list