chmod wrapper

Bob Proulx rwp at hprwp.fc.hp.com
Mon Mar 29 16:23:13 EST 2004


bmonroe wrote:
> Is there a prescribed method for wrapping chmod to disabling the setuid
> and setgid bit?

Trying to enable everything except for something particular is very
dangerous because it is very hard to things to sneak through.  A
better philosophy is to only enable specifically what you want to
enable.

> Cmnd_Alias      FILE_MOD =      /usr/bin/chgrp
> DEVELOP         ALL=(ALL)       NOPASSWD:FILE_MOD,		\
> 				!/usr/bin/chmod [1-4]??? *,	\
> 				!/usr/bin/chmod * [1-4]??? *,	\
> 				!/usr/bin/chmod *[s]* *,	\
> 				!/usr/bin/chmod * *[s]* *

I assume you meant chmod in both of the above and the chgrp is an
error?  Assuming that I will continue.

It seems very dangerous in general to me, because I don't know what
you are trying to do, to allow chmod as root as a general case.  I
think sudo access to chmod extremely bad.  I can think of any number
of ways to expoit it.  But if you were going to allow it should be
just what you want.

What are you trying to do?

> This seems to work okay but it seems awfully cumbersome.  Is there a
> better way, or more importantly, are there any holes in the above?

If I can fool your ! patterns then I can sneak through.  I don't know
if there are holes there but it seems a prime target.  Leading zeros
come to mind, it is an octal number after all.  I will propose that
any particular allow-all-except-pattern will have weaknesses to be
exploited except in the case that you are very careful.

Bob



More information about the sudo-workers mailing list