Solved

Confine Sudo access to a directory

Posted on 2008-10-06
11
1,301 Views
Last Modified: 2012-05-05
How can i configure Sudo to provide access to users in the /home/cvs directory after they cd to that directory?

Once they get to this directory, they should be able to chown, chmod etc.
0
Comment
Question by:p0sreed
11 Comments
 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 22654519
you cannot give them sudo for a specific directory. you are either a sudo user of the system or not a sudo user.

you can grant them full rights to their own folder. chown them as the owner and chmod to 700
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22656520
Suppose your sudoers are members of a group 'cvsgroup'
you can use

%cvsgroup ALL=(root) /bin/chown -h user:group -- /home/cvs/[a-zA-Z0-9]*


In which case, members of the group can now type
# sudo /bin/chown -h  user:group -- /home/cvs/blah


The thing to keep in mind,  is you must trust these users  to some extent; there may be ways to use a command in unexpected ways otherwise.

You can define shell aliases for them in their .bashrc or /etc/profile

chowncvs () {
sudo /bin/chown -h user:groupname -- /home/cvs/$1
}

0
 

Author Comment

by:p0sreed
ID: 22661093
how about chmod?

What would the command to provide them access to chmod the file to any permission?
0
 

Author Comment

by:p0sreed
ID: 22675683
I get the following error when i try your solution


sudo /bin/chown -h test:sysadmin -- /export/home/test/file
>>> sudoers file: syntax error, line 18 <<<
sudo: parse error in /usr/local/etc/sudoers near line 18
Oct  8 21:22:53 <hostname> sudo: [ID 702911 local2.alert]     test : parse error in /usr/local/etc/sudoers near line 18 ; TTY=pts/1 ; PWD=/export/home/test ; USER=root ; COMMAND=/bin/chown -h test:sysadmin -- /export/home/test/file

I have this in my sudo file

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN=/bin/chown -h test:sysadmin -- /export/home/test/[a-zA-Z0-9]*
CVSTEST         ALL = (root)    CHOWN
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 22692255
That is NOT what sudo is for. You're using a hammer to turn a bolt.

sudo is *not* a filesystem access control tool. It is designed to offer controlled privilege escalation/modification.

I would suggest establishing an account that has the filesystem permissions you want, then allowing the users to switch their security context to that account:

$ sudo su - otherid
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:p0sreed
ID: 22692288
I have something like what Mysidia pointed out.

I want to make his idea work.

When i implement his solution, Visudo is complaining of syntax error.

Mysidia, pls help!
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22693968
Ok..  the example I sent included a ":"  in the Cmnd_Alias line;  you actually need to escape this character with a  \,   because  ':'  has special meaning to sudo

Try this:

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN = /bin/chown -h test\:sysadmin -- /export/home/test/[a-zA-Z0-9]*
CVSTEST         ALL = (root)    CHOWN
0
 

Author Comment

by:p0sreed
ID: 22695590
It works, thanks Mysidia.

How can i do the same thing for chmod. I am thinking something like below

Cmnd_Alias      CHMOD=/bin/chmod 777 -- /export/home/test/[a-zA-Z0-9]*

this chmod works too, but it only gives one modification at a time.

I want it to cover all sort of permission like 4, 5, 6, 7

Also, how do i avoid this "chown: --: No such file or directory"

root@cslcl1-ha1  $ sudo chown -h test:sysadmin -- /export/home/test/sample
Password:
chown: --: No such file or directory
root@cslcl1-ha1  $ ls -l
total 6
-rw-r--r--   1 test     sysadmin     250 Oct  8 21:12 local.bashrc
-rw-r--r--   1 test     sysadmin     205 Oct  8 21:12 local.cshrc
-rw-r--r--   1 test     sysadmin       0 Oct  8 21:12 local.login
-rw-r--r--   1 test     sysadmin     247 Oct  8 21:12 local.profile
-rw-r--r--   1 test     sysadmin       0 Oct 11 16:06 sample
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22695672
It sounds as if your version of chown doesn't support the "--" separator,  in which case you can allow chown without the  --   instead,  by modifying sudoers
and your command line to take out the --.

What "--"  normally means (for most commands) is that  the rest of the line contains only additional filenames,   no more command line options  like -R,
for example:
On most systems
chown myuser -- x/ -R         means chown  a file named "-R" and a directory named "x"
Whereas: chown myuser x/ -R      means chown  a directory named "x"
recursively   (chown all files and subdirs in it recursively)




A problem to keep in mind with chmod is it has no equivalent to the '-h'  option.
It means that if you give someone the ability to 'chmod'  with sudo, they can change the permissions of any file on the filesystem.

Here's an example of a bad sequence of commands:
ln -s    /etc/passwd /export/home/test/sample/mylink
sudo /bin/chmod 777 -- /export/home/test/sample/mylink


So my recommendation is not to give direct access to the 'chmod' command.

Instead use a wrapper script or write a wrapper program to be called
from sudo, implement, what you want to do and perform appropriate checks.


For example,  paste code like this into a  chmod_wrapper.c :

gcc -o chmod_wrapper chmod_wrapper.c


Then use a sudoers entry like

Cmnd_Alias      CHMOD=/usr/local/bin/chmod_wrapper [0-9][0-9][0-9] /export/home/test/[a-zA-Z0-9]*

#define _GNU_SOURCE

#include <stdio.h>

#include <stdlib.h>

#include <sys/stat.h>

#include <stdio.h>

#include <unistd.h>

#include <sys/types.h>

#include <fcntl.h>

#include <errno.h>
 

#define BASE_PATH "/tmp/"

int main(int argc, char* argv[])

{

     int newmode,fd,i,j;
 

     if (argc < 1 || !argv[0] || !argv[1] || !argv[2]) {

                 fprintf(stderr, "Usage: %s <mode> <file list>\n",

                          argv[0] ? argv[0] : "");

                 exit(1);

     }
 

     newmode = strtol(argv[1], (char**)0,8);

    for(i = 2; i < argc; i++) {

          if (!argv[i] || strncmp(argv[i], BASE_PATH, strlen(BASE_PATH)))

          {

               fprintf(stderr, "Target: %s is not in" BASE_PATH"\n", argv[i]);

               goto skip_this_file;

          }
 

          for (j = strlen(BASE_PATH); argv[i][j] != '\0'; j++ ) {

               if ((argv[i][j] == '.' && argv[i][j+1] =='.')

                    || argv[i][j] == '/')

               {

                   fprintf(stderr, "Filename contains invalid characters\n");

                   goto skip_this_file;

               }

          }
 

          fd = open(argv[i], O_RDONLY | O_NOFOLLOW);

          if (fd < 0) {

               fprintf(stderr, "open(%s): %.80s\n", argv[i], strerror(errno));

               goto skip_this_file;

          }
 

          if ( fchmod(fd, newmode)  < 0 ) {

               perror("chmod");

               (void)close(fd);

          }
 

          if ( close(fd) < 0 ) {

               perror("close");

          }
 

          skip_this_file:;

    }

}

Open in new window

0
 
LVL 23

Accepted Solution

by:
Mysidia earned 500 total points
ID: 22696064
Actually;  I recommend adjusting the wrapper and using the same for chown.

the problem is  
/home/cvs/[a-zA-Z0-9]*

matches more than one might think
for instance it matches  "sudo  /usr/bin/chown  /home/cvs/A  /root/blah"

You can expand this a little

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN = /bin/chown -h test\:sysadmin -- /export/home/test/[a-zA-Z0-9]*
Cmnd_Alias     BLOCKED_CHOWN = /bin/chown -h test\:sysadmin -- * *
CVSTEST         ALL = (root)    CHOWN, !BLOCKED_CHOWN

To restrict a single  sudo'd  chown from listing containing more parameters than expected.

You can also use this technique if you later want to make certain files in the directory "not chownable"  by the users you have listed in the 'CVSTEST' user alias

0
 

Author Comment

by:p0sreed
ID: 22708343
Ok. I misunderstood the required.

Mysidia,

How can I grant users permission to do whatever they want to files inside the directory /home/cvs through Sudo?

Not only chown, chmod, also rm, mv, cp...etc
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now