?
Solved

Confine Sudo access to a directory

Posted on 2008-10-06
11
Medium Priority
?
1,315 Views
Last Modified: 2012-05-05
How can i configure Sudo to provide access to users in the /home/cvs directory after they cd to that directory?

Once they get to this directory, they should be able to chown, chmod etc.
0
Comment
Question by:p0sreed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 22654519
you cannot give them sudo for a specific directory. you are either a sudo user of the system or not a sudo user.

you can grant them full rights to their own folder. chown them as the owner and chmod to 700
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22656520
Suppose your sudoers are members of a group 'cvsgroup'
you can use

%cvsgroup ALL=(root) /bin/chown -h user:group -- /home/cvs/[a-zA-Z0-9]*


In which case, members of the group can now type
# sudo /bin/chown -h  user:group -- /home/cvs/blah


The thing to keep in mind,  is you must trust these users  to some extent; there may be ways to use a command in unexpected ways otherwise.

You can define shell aliases for them in their .bashrc or /etc/profile

chowncvs () {
sudo /bin/chown -h user:groupname -- /home/cvs/$1
}

0
 

Author Comment

by:p0sreed
ID: 22661093
how about chmod?

What would the command to provide them access to chmod the file to any permission?
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:p0sreed
ID: 22675683
I get the following error when i try your solution


sudo /bin/chown -h test:sysadmin -- /export/home/test/file
>>> sudoers file: syntax error, line 18 <<<
sudo: parse error in /usr/local/etc/sudoers near line 18
Oct  8 21:22:53 <hostname> sudo: [ID 702911 local2.alert]     test : parse error in /usr/local/etc/sudoers near line 18 ; TTY=pts/1 ; PWD=/export/home/test ; USER=root ; COMMAND=/bin/chown -h test:sysadmin -- /export/home/test/file

I have this in my sudo file

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN=/bin/chown -h test:sysadmin -- /export/home/test/[a-zA-Z0-9]*
CVSTEST         ALL = (root)    CHOWN
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 22692255
That is NOT what sudo is for. You're using a hammer to turn a bolt.

sudo is *not* a filesystem access control tool. It is designed to offer controlled privilege escalation/modification.

I would suggest establishing an account that has the filesystem permissions you want, then allowing the users to switch their security context to that account:

$ sudo su - otherid
0
 

Author Comment

by:p0sreed
ID: 22692288
I have something like what Mysidia pointed out.

I want to make his idea work.

When i implement his solution, Visudo is complaining of syntax error.

Mysidia, pls help!
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22693968
Ok..  the example I sent included a ":"  in the Cmnd_Alias line;  you actually need to escape this character with a  \,   because  ':'  has special meaning to sudo

Try this:

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN = /bin/chown -h test\:sysadmin -- /export/home/test/[a-zA-Z0-9]*
CVSTEST         ALL = (root)    CHOWN
0
 

Author Comment

by:p0sreed
ID: 22695590
It works, thanks Mysidia.

How can i do the same thing for chmod. I am thinking something like below

Cmnd_Alias      CHMOD=/bin/chmod 777 -- /export/home/test/[a-zA-Z0-9]*

this chmod works too, but it only gives one modification at a time.

I want it to cover all sort of permission like 4, 5, 6, 7

Also, how do i avoid this "chown: --: No such file or directory"

root@cslcl1-ha1  $ sudo chown -h test:sysadmin -- /export/home/test/sample
Password:
chown: --: No such file or directory
root@cslcl1-ha1  $ ls -l
total 6
-rw-r--r--   1 test     sysadmin     250 Oct  8 21:12 local.bashrc
-rw-r--r--   1 test     sysadmin     205 Oct  8 21:12 local.cshrc
-rw-r--r--   1 test     sysadmin       0 Oct  8 21:12 local.login
-rw-r--r--   1 test     sysadmin     247 Oct  8 21:12 local.profile
-rw-r--r--   1 test     sysadmin       0 Oct 11 16:06 sample
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22695672
It sounds as if your version of chown doesn't support the "--" separator,  in which case you can allow chown without the  --   instead,  by modifying sudoers
and your command line to take out the --.

What "--"  normally means (for most commands) is that  the rest of the line contains only additional filenames,   no more command line options  like -R,
for example:
On most systems
chown myuser -- x/ -R         means chown  a file named "-R" and a directory named "x"
Whereas: chown myuser x/ -R      means chown  a directory named "x"
recursively   (chown all files and subdirs in it recursively)




A problem to keep in mind with chmod is it has no equivalent to the '-h'  option.
It means that if you give someone the ability to 'chmod'  with sudo, they can change the permissions of any file on the filesystem.

Here's an example of a bad sequence of commands:
ln -s    /etc/passwd /export/home/test/sample/mylink
sudo /bin/chmod 777 -- /export/home/test/sample/mylink


So my recommendation is not to give direct access to the 'chmod' command.

Instead use a wrapper script or write a wrapper program to be called
from sudo, implement, what you want to do and perform appropriate checks.


For example,  paste code like this into a  chmod_wrapper.c :

gcc -o chmod_wrapper chmod_wrapper.c


Then use a sudoers entry like

Cmnd_Alias      CHMOD=/usr/local/bin/chmod_wrapper [0-9][0-9][0-9] /export/home/test/[a-zA-Z0-9]*

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>
#include <errno.h>
 
#define BASE_PATH "/tmp/"
int main(int argc, char* argv[])
{
     int newmode,fd,i,j;
 
     if (argc < 1 || !argv[0] || !argv[1] || !argv[2]) {
                 fprintf(stderr, "Usage: %s <mode> <file list>\n",
                          argv[0] ? argv[0] : "");
                 exit(1);
     }
 
     newmode = strtol(argv[1], (char**)0,8);
    for(i = 2; i < argc; i++) {
          if (!argv[i] || strncmp(argv[i], BASE_PATH, strlen(BASE_PATH)))
          {
               fprintf(stderr, "Target: %s is not in" BASE_PATH"\n", argv[i]);
               goto skip_this_file;
          }
 
          for (j = strlen(BASE_PATH); argv[i][j] != '\0'; j++ ) {
               if ((argv[i][j] == '.' && argv[i][j+1] =='.')
                    || argv[i][j] == '/')
               {
                   fprintf(stderr, "Filename contains invalid characters\n");
                   goto skip_this_file;
               }
          }
 
          fd = open(argv[i], O_RDONLY | O_NOFOLLOW);
          if (fd < 0) {
               fprintf(stderr, "open(%s): %.80s\n", argv[i], strerror(errno));
               goto skip_this_file;
          }
 
          if ( fchmod(fd, newmode)  < 0 ) {
               perror("chmod");
               (void)close(fd);
          }
 
          if ( close(fd) < 0 ) {
               perror("close");
          }
 
          skip_this_file:;
    }
}

Open in new window

0
 
LVL 23

Accepted Solution

by:
Mysidia earned 2000 total points
ID: 22696064
Actually;  I recommend adjusting the wrapper and using the same for chown.

the problem is  
/home/cvs/[a-zA-Z0-9]*

matches more than one might think
for instance it matches  "sudo  /usr/bin/chown  /home/cvs/A  /root/blah"

You can expand this a little

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN = /bin/chown -h test\:sysadmin -- /export/home/test/[a-zA-Z0-9]*
Cmnd_Alias     BLOCKED_CHOWN = /bin/chown -h test\:sysadmin -- * *
CVSTEST         ALL = (root)    CHOWN, !BLOCKED_CHOWN

To restrict a single  sudo'd  chown from listing containing more parameters than expected.

You can also use this technique if you later want to make certain files in the directory "not chownable"  by the users you have listed in the 'CVSTEST' user alias

0
 

Author Comment

by:p0sreed
ID: 22708343
Ok. I misunderstood the required.

Mysidia,

How can I grant users permission to do whatever they want to files inside the directory /home/cvs through Sudo?

Not only chown, chmod, also rm, mv, cp...etc
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question