rwp at hprwp.fc.hp.com
Mon Mar 29 16:23:13 EST 2004
> Is there a prescribed method for wrapping chmod to disabling the setuid
> and setgid bit?
Trying to enable everything except for something particular is very
dangerous because it is very hard to things to sneak through. A
better philosophy is to only enable specifically what you want to
> Cmnd_Alias FILE_MOD = /usr/bin/chgrp
> DEVELOP ALL=(ALL) NOPASSWD:FILE_MOD, \
> !/usr/bin/chmod [1-4]??? *, \
> !/usr/bin/chmod * [1-4]??? *, \
> !/usr/bin/chmod *[s]* *, \
> !/usr/bin/chmod * *[s]* *
I assume you meant chmod in both of the above and the chgrp is an
error? Assuming that I will continue.
It seems very dangerous in general to me, because I don't know what
you are trying to do, to allow chmod as root as a general case. I
think sudo access to chmod extremely bad. I can think of any number
of ways to expoit it. But if you were going to allow it should be
just what you want.
What are you trying to do?
> This seems to work okay but it seems awfully cumbersome. Is there a
> better way, or more importantly, are there any holes in the above?
If I can fool your ! patterns then I can sneak through. I don't know
if there are holes there but it seems a prime target. Leading zeros
come to mind, it is an octal number after all. I will propose that
any particular allow-all-except-pattern will have weaknesses to be
exploited except in the case that you are very careful.
More information about the sudo-workers