Solved

Confine Sudo access to a directory

Posted on 2008-10-06
11
1,311 Views
Last Modified: 2012-05-05
How can i configure Sudo to provide access to users in the /home/cvs directory after they cd to that directory?

Once they get to this directory, they should be able to chown, chmod etc.
0
Comment
Question by:p0sreed
11 Comments
 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 22654519
you cannot give them sudo for a specific directory. you are either a sudo user of the system or not a sudo user.

you can grant them full rights to their own folder. chown them as the owner and chmod to 700
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22656520
Suppose your sudoers are members of a group 'cvsgroup'
you can use

%cvsgroup ALL=(root) /bin/chown -h user:group -- /home/cvs/[a-zA-Z0-9]*


In which case, members of the group can now type
# sudo /bin/chown -h  user:group -- /home/cvs/blah


The thing to keep in mind,  is you must trust these users  to some extent; there may be ways to use a command in unexpected ways otherwise.

You can define shell aliases for them in their .bashrc or /etc/profile

chowncvs () {
sudo /bin/chown -h user:groupname -- /home/cvs/$1
}

0
 

Author Comment

by:p0sreed
ID: 22661093
how about chmod?

What would the command to provide them access to chmod the file to any permission?
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:p0sreed
ID: 22675683
I get the following error when i try your solution


sudo /bin/chown -h test:sysadmin -- /export/home/test/file
>>> sudoers file: syntax error, line 18 <<<
sudo: parse error in /usr/local/etc/sudoers near line 18
Oct  8 21:22:53 <hostname> sudo: [ID 702911 local2.alert]     test : parse error in /usr/local/etc/sudoers near line 18 ; TTY=pts/1 ; PWD=/export/home/test ; USER=root ; COMMAND=/bin/chown -h test:sysadmin -- /export/home/test/file

I have this in my sudo file

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN=/bin/chown -h test:sysadmin -- /export/home/test/[a-zA-Z0-9]*
CVSTEST         ALL = (root)    CHOWN
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 22692255
That is NOT what sudo is for. You're using a hammer to turn a bolt.

sudo is *not* a filesystem access control tool. It is designed to offer controlled privilege escalation/modification.

I would suggest establishing an account that has the filesystem permissions you want, then allowing the users to switch their security context to that account:

$ sudo su - otherid
0
 

Author Comment

by:p0sreed
ID: 22692288
I have something like what Mysidia pointed out.

I want to make his idea work.

When i implement his solution, Visudo is complaining of syntax error.

Mysidia, pls help!
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22693968
Ok..  the example I sent included a ":"  in the Cmnd_Alias line;  you actually need to escape this character with a  \,   because  ':'  has special meaning to sudo

Try this:

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN = /bin/chown -h test\:sysadmin -- /export/home/test/[a-zA-Z0-9]*
CVSTEST         ALL = (root)    CHOWN
0
 

Author Comment

by:p0sreed
ID: 22695590
It works, thanks Mysidia.

How can i do the same thing for chmod. I am thinking something like below

Cmnd_Alias      CHMOD=/bin/chmod 777 -- /export/home/test/[a-zA-Z0-9]*

this chmod works too, but it only gives one modification at a time.

I want it to cover all sort of permission like 4, 5, 6, 7

Also, how do i avoid this "chown: --: No such file or directory"

root@cslcl1-ha1  $ sudo chown -h test:sysadmin -- /export/home/test/sample
Password:
chown: --: No such file or directory
root@cslcl1-ha1  $ ls -l
total 6
-rw-r--r--   1 test     sysadmin     250 Oct  8 21:12 local.bashrc
-rw-r--r--   1 test     sysadmin     205 Oct  8 21:12 local.cshrc
-rw-r--r--   1 test     sysadmin       0 Oct  8 21:12 local.login
-rw-r--r--   1 test     sysadmin     247 Oct  8 21:12 local.profile
-rw-r--r--   1 test     sysadmin       0 Oct 11 16:06 sample
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22695672
It sounds as if your version of chown doesn't support the "--" separator,  in which case you can allow chown without the  --   instead,  by modifying sudoers
and your command line to take out the --.

What "--"  normally means (for most commands) is that  the rest of the line contains only additional filenames,   no more command line options  like -R,
for example:
On most systems
chown myuser -- x/ -R         means chown  a file named "-R" and a directory named "x"
Whereas: chown myuser x/ -R      means chown  a directory named "x"
recursively   (chown all files and subdirs in it recursively)




A problem to keep in mind with chmod is it has no equivalent to the '-h'  option.
It means that if you give someone the ability to 'chmod'  with sudo, they can change the permissions of any file on the filesystem.

Here's an example of a bad sequence of commands:
ln -s    /etc/passwd /export/home/test/sample/mylink
sudo /bin/chmod 777 -- /export/home/test/sample/mylink


So my recommendation is not to give direct access to the 'chmod' command.

Instead use a wrapper script or write a wrapper program to be called
from sudo, implement, what you want to do and perform appropriate checks.


For example,  paste code like this into a  chmod_wrapper.c :

gcc -o chmod_wrapper chmod_wrapper.c


Then use a sudoers entry like

Cmnd_Alias      CHMOD=/usr/local/bin/chmod_wrapper [0-9][0-9][0-9] /export/home/test/[a-zA-Z0-9]*

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>
#include <errno.h>
 
#define BASE_PATH "/tmp/"
int main(int argc, char* argv[])
{
     int newmode,fd,i,j;
 
     if (argc < 1 || !argv[0] || !argv[1] || !argv[2]) {
                 fprintf(stderr, "Usage: %s <mode> <file list>\n",
                          argv[0] ? argv[0] : "");
                 exit(1);
     }
 
     newmode = strtol(argv[1], (char**)0,8);
    for(i = 2; i < argc; i++) {
          if (!argv[i] || strncmp(argv[i], BASE_PATH, strlen(BASE_PATH)))
          {
               fprintf(stderr, "Target: %s is not in" BASE_PATH"\n", argv[i]);
               goto skip_this_file;
          }
 
          for (j = strlen(BASE_PATH); argv[i][j] != '\0'; j++ ) {
               if ((argv[i][j] == '.' && argv[i][j+1] =='.')
                    || argv[i][j] == '/')
               {
                   fprintf(stderr, "Filename contains invalid characters\n");
                   goto skip_this_file;
               }
          }
 
          fd = open(argv[i], O_RDONLY | O_NOFOLLOW);
          if (fd < 0) {
               fprintf(stderr, "open(%s): %.80s\n", argv[i], strerror(errno));
               goto skip_this_file;
          }
 
          if ( fchmod(fd, newmode)  < 0 ) {
               perror("chmod");
               (void)close(fd);
          }
 
          if ( close(fd) < 0 ) {
               perror("close");
          }
 
          skip_this_file:;
    }
}

Open in new window

0
 
LVL 23

Accepted Solution

by:
Mysidia earned 500 total points
ID: 22696064
Actually;  I recommend adjusting the wrapper and using the same for chown.

the problem is  
/home/cvs/[a-zA-Z0-9]*

matches more than one might think
for instance it matches  "sudo  /usr/bin/chown  /home/cvs/A  /root/blah"

You can expand this a little

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN = /bin/chown -h test\:sysadmin -- /export/home/test/[a-zA-Z0-9]*
Cmnd_Alias     BLOCKED_CHOWN = /bin/chown -h test\:sysadmin -- * *
CVSTEST         ALL = (root)    CHOWN, !BLOCKED_CHOWN

To restrict a single  sudo'd  chown from listing containing more parameters than expected.

You can also use this technique if you later want to make certain files in the directory "not chownable"  by the users you have listed in the 'CVSTEST' user alias

0
 

Author Comment

by:p0sreed
ID: 22708343
Ok. I misunderstood the required.

Mysidia,

How can I grant users permission to do whatever they want to files inside the directory /home/cvs through Sudo?

Not only chown, chmod, also rm, mv, cp...etc
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question