Solved

Confine Sudo access to a directory

Posted on 2008-10-06
11
1,314 Views
Last Modified: 2012-05-05
How can i configure Sudo to provide access to users in the /home/cvs directory after they cd to that directory?

Once they get to this directory, they should be able to chown, chmod etc.
0
Comment
Question by:p0sreed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 22654519
you cannot give them sudo for a specific directory. you are either a sudo user of the system or not a sudo user.

you can grant them full rights to their own folder. chown them as the owner and chmod to 700
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22656520
Suppose your sudoers are members of a group 'cvsgroup'
you can use

%cvsgroup ALL=(root) /bin/chown -h user:group -- /home/cvs/[a-zA-Z0-9]*


In which case, members of the group can now type
# sudo /bin/chown -h  user:group -- /home/cvs/blah


The thing to keep in mind,  is you must trust these users  to some extent; there may be ways to use a command in unexpected ways otherwise.

You can define shell aliases for them in their .bashrc or /etc/profile

chowncvs () {
sudo /bin/chown -h user:groupname -- /home/cvs/$1
}

0
 

Author Comment

by:p0sreed
ID: 22661093
how about chmod?

What would the command to provide them access to chmod the file to any permission?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:p0sreed
ID: 22675683
I get the following error when i try your solution


sudo /bin/chown -h test:sysadmin -- /export/home/test/file
>>> sudoers file: syntax error, line 18 <<<
sudo: parse error in /usr/local/etc/sudoers near line 18
Oct  8 21:22:53 <hostname> sudo: [ID 702911 local2.alert]     test : parse error in /usr/local/etc/sudoers near line 18 ; TTY=pts/1 ; PWD=/export/home/test ; USER=root ; COMMAND=/bin/chown -h test:sysadmin -- /export/home/test/file

I have this in my sudo file

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN=/bin/chown -h test:sysadmin -- /export/home/test/[a-zA-Z0-9]*
CVSTEST         ALL = (root)    CHOWN
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 22692255
That is NOT what sudo is for. You're using a hammer to turn a bolt.

sudo is *not* a filesystem access control tool. It is designed to offer controlled privilege escalation/modification.

I would suggest establishing an account that has the filesystem permissions you want, then allowing the users to switch their security context to that account:

$ sudo su - otherid
0
 

Author Comment

by:p0sreed
ID: 22692288
I have something like what Mysidia pointed out.

I want to make his idea work.

When i implement his solution, Visudo is complaining of syntax error.

Mysidia, pls help!
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22693968
Ok..  the example I sent included a ":"  in the Cmnd_Alias line;  you actually need to escape this character with a  \,   because  ':'  has special meaning to sudo

Try this:

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN = /bin/chown -h test\:sysadmin -- /export/home/test/[a-zA-Z0-9]*
CVSTEST         ALL = (root)    CHOWN
0
 

Author Comment

by:p0sreed
ID: 22695590
It works, thanks Mysidia.

How can i do the same thing for chmod. I am thinking something like below

Cmnd_Alias      CHMOD=/bin/chmod 777 -- /export/home/test/[a-zA-Z0-9]*

this chmod works too, but it only gives one modification at a time.

I want it to cover all sort of permission like 4, 5, 6, 7

Also, how do i avoid this "chown: --: No such file or directory"

root@cslcl1-ha1  $ sudo chown -h test:sysadmin -- /export/home/test/sample
Password:
chown: --: No such file or directory
root@cslcl1-ha1  $ ls -l
total 6
-rw-r--r--   1 test     sysadmin     250 Oct  8 21:12 local.bashrc
-rw-r--r--   1 test     sysadmin     205 Oct  8 21:12 local.cshrc
-rw-r--r--   1 test     sysadmin       0 Oct  8 21:12 local.login
-rw-r--r--   1 test     sysadmin     247 Oct  8 21:12 local.profile
-rw-r--r--   1 test     sysadmin       0 Oct 11 16:06 sample
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22695672
It sounds as if your version of chown doesn't support the "--" separator,  in which case you can allow chown without the  --   instead,  by modifying sudoers
and your command line to take out the --.

What "--"  normally means (for most commands) is that  the rest of the line contains only additional filenames,   no more command line options  like -R,
for example:
On most systems
chown myuser -- x/ -R         means chown  a file named "-R" and a directory named "x"
Whereas: chown myuser x/ -R      means chown  a directory named "x"
recursively   (chown all files and subdirs in it recursively)




A problem to keep in mind with chmod is it has no equivalent to the '-h'  option.
It means that if you give someone the ability to 'chmod'  with sudo, they can change the permissions of any file on the filesystem.

Here's an example of a bad sequence of commands:
ln -s    /etc/passwd /export/home/test/sample/mylink
sudo /bin/chmod 777 -- /export/home/test/sample/mylink


So my recommendation is not to give direct access to the 'chmod' command.

Instead use a wrapper script or write a wrapper program to be called
from sudo, implement, what you want to do and perform appropriate checks.


For example,  paste code like this into a  chmod_wrapper.c :

gcc -o chmod_wrapper chmod_wrapper.c


Then use a sudoers entry like

Cmnd_Alias      CHMOD=/usr/local/bin/chmod_wrapper [0-9][0-9][0-9] /export/home/test/[a-zA-Z0-9]*

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>
#include <errno.h>
 
#define BASE_PATH "/tmp/"
int main(int argc, char* argv[])
{
     int newmode,fd,i,j;
 
     if (argc < 1 || !argv[0] || !argv[1] || !argv[2]) {
                 fprintf(stderr, "Usage: %s <mode> <file list>\n",
                          argv[0] ? argv[0] : "");
                 exit(1);
     }
 
     newmode = strtol(argv[1], (char**)0,8);
    for(i = 2; i < argc; i++) {
          if (!argv[i] || strncmp(argv[i], BASE_PATH, strlen(BASE_PATH)))
          {
               fprintf(stderr, "Target: %s is not in" BASE_PATH"\n", argv[i]);
               goto skip_this_file;
          }
 
          for (j = strlen(BASE_PATH); argv[i][j] != '\0'; j++ ) {
               if ((argv[i][j] == '.' && argv[i][j+1] =='.')
                    || argv[i][j] == '/')
               {
                   fprintf(stderr, "Filename contains invalid characters\n");
                   goto skip_this_file;
               }
          }
 
          fd = open(argv[i], O_RDONLY | O_NOFOLLOW);
          if (fd < 0) {
               fprintf(stderr, "open(%s): %.80s\n", argv[i], strerror(errno));
               goto skip_this_file;
          }
 
          if ( fchmod(fd, newmode)  < 0 ) {
               perror("chmod");
               (void)close(fd);
          }
 
          if ( close(fd) < 0 ) {
               perror("close");
          }
 
          skip_this_file:;
    }
}

Open in new window

0
 
LVL 23

Accepted Solution

by:
Mysidia earned 500 total points
ID: 22696064
Actually;  I recommend adjusting the wrapper and using the same for chown.

the problem is  
/home/cvs/[a-zA-Z0-9]*

matches more than one might think
for instance it matches  "sudo  /usr/bin/chown  /home/cvs/A  /root/blah"

You can expand this a little

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN = /bin/chown -h test\:sysadmin -- /export/home/test/[a-zA-Z0-9]*
Cmnd_Alias     BLOCKED_CHOWN = /bin/chown -h test\:sysadmin -- * *
CVSTEST         ALL = (root)    CHOWN, !BLOCKED_CHOWN

To restrict a single  sudo'd  chown from listing containing more parameters than expected.

You can also use this technique if you later want to make certain files in the directory "not chownable"  by the users you have listed in the 'CVSTEST' user alias

0
 

Author Comment

by:p0sreed
ID: 22708343
Ok. I misunderstood the required.

Mysidia,

How can I grant users permission to do whatever they want to files inside the directory /home/cvs through Sudo?

Not only chown, chmod, also rm, mv, cp...etc
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question