chmod wrapper

Bob Proulx rwp at hprwp.fc.hp.com
Mon Mar 29 18:43:24 EST 2004


bmonroe wrote:
> Yes, I understand the risk involved.  I need our developers to be able to
> modify file permissions but not be able to turn on set-uig or set-gid bit.

I think that will be very difficult to be completely successful.

> Unfortunately it is not for me to decide the level of security they get.

I understand.  I have similar environments.

Not to be too quib but perhaps that means they really all do have full
root access.  It removes the illusion that a facade would create.

  DEVELOP ALL = ALL

At least everything can be tracked by the logging.  Developers should
not be frustrated by this since they have full root power.

> :( They wrote crappy code and I'm the one that needs to massage the
> security to fit their needs.  Anyway, I digress.  On the bright side, if
> you saw what it was before sudo was implemented, you would probably either
> choke in disgust or laugh your head off (they had root and umask was 000).

The environment of MSDOS lives on.

> > If I can fool your ! patterns then I can sneak through.  I don't know
> > if there are holes there but it seems a prime target.  Leading zeros
> > come to mind, it is an octal number after all.  I will propose that
> > any particular allow-all-except-pattern will have weaknesses to be
> > exploited except in the case that you are very careful.
> 
> I agree but alas, their voices are louder then mine. :(

In that case I would be inclined to do something like this.  Eew.. I
don't like it.

Cmnd_Alias      FILE_MOD = 	/usr/bin/chmod u+w *,
				/usr/bin/chmod u-w *,
				/usr/bin/chmod g+w *,
				/usr/bin/chmod g-w *

DEVELOP         ALL = NOPASSWD: FILE_MOD

But back to your original question.

> DEVELOP         ALL=(ALL)       NOPASSWD:FILE_MOD,              \
>                                 !/usr/bin/chmod [1-4]??? *,     \
>                                 !/usr/bin/chmod * [1-4]??? *,   \
>                                 !/usr/bin/chmod *[s]* *,        \
>                                 !/usr/bin/chmod * *[s]* *

> or more importantly, are there any holes in the above?

But if you decide to keep the exclude list then how do the following
stack up in your test cases of what works and does not work?

  sudo chmod 04755 foo       # you want to stop this
  sudo chmod a-w foosball    # you want to allow this

A completely different track to take would be to compile a special
version of chmod which does not allow your setuid operating in the
program.  Then allow anyone to use that special program.  That would
probably be easier.

Bob



More information about the sudo-workers mailing list