Solved

Confine Sudo access to a directory

Posted on 2008-10-06
11
1,313 Views
Last Modified: 2012-05-05
How can i configure Sudo to provide access to users in the /home/cvs directory after they cd to that directory?

Once they get to this directory, they should be able to chown, chmod etc.
0
Comment
Question by:p0sreed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 22654519
you cannot give them sudo for a specific directory. you are either a sudo user of the system or not a sudo user.

you can grant them full rights to their own folder. chown them as the owner and chmod to 700
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22656520
Suppose your sudoers are members of a group 'cvsgroup'
you can use

%cvsgroup ALL=(root) /bin/chown -h user:group -- /home/cvs/[a-zA-Z0-9]*


In which case, members of the group can now type
# sudo /bin/chown -h  user:group -- /home/cvs/blah


The thing to keep in mind,  is you must trust these users  to some extent; there may be ways to use a command in unexpected ways otherwise.

You can define shell aliases for them in their .bashrc or /etc/profile

chowncvs () {
sudo /bin/chown -h user:groupname -- /home/cvs/$1
}

0
 

Author Comment

by:p0sreed
ID: 22661093
how about chmod?

What would the command to provide them access to chmod the file to any permission?
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:p0sreed
ID: 22675683
I get the following error when i try your solution


sudo /bin/chown -h test:sysadmin -- /export/home/test/file
>>> sudoers file: syntax error, line 18 <<<
sudo: parse error in /usr/local/etc/sudoers near line 18
Oct  8 21:22:53 <hostname> sudo: [ID 702911 local2.alert]     test : parse error in /usr/local/etc/sudoers near line 18 ; TTY=pts/1 ; PWD=/export/home/test ; USER=root ; COMMAND=/bin/chown -h test:sysadmin -- /export/home/test/file

I have this in my sudo file

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN=/bin/chown -h test:sysadmin -- /export/home/test/[a-zA-Z0-9]*
CVSTEST         ALL = (root)    CHOWN
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 22692255
That is NOT what sudo is for. You're using a hammer to turn a bolt.

sudo is *not* a filesystem access control tool. It is designed to offer controlled privilege escalation/modification.

I would suggest establishing an account that has the filesystem permissions you want, then allowing the users to switch their security context to that account:

$ sudo su - otherid
0
 

Author Comment

by:p0sreed
ID: 22692288
I have something like what Mysidia pointed out.

I want to make his idea work.

When i implement his solution, Visudo is complaining of syntax error.

Mysidia, pls help!
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22693968
Ok..  the example I sent included a ":"  in the Cmnd_Alias line;  you actually need to escape this character with a  \,   because  ':'  has special meaning to sudo

Try this:

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN = /bin/chown -h test\:sysadmin -- /export/home/test/[a-zA-Z0-9]*
CVSTEST         ALL = (root)    CHOWN
0
 

Author Comment

by:p0sreed
ID: 22695590
It works, thanks Mysidia.

How can i do the same thing for chmod. I am thinking something like below

Cmnd_Alias      CHMOD=/bin/chmod 777 -- /export/home/test/[a-zA-Z0-9]*

this chmod works too, but it only gives one modification at a time.

I want it to cover all sort of permission like 4, 5, 6, 7

Also, how do i avoid this "chown: --: No such file or directory"

root@cslcl1-ha1  $ sudo chown -h test:sysadmin -- /export/home/test/sample
Password:
chown: --: No such file or directory
root@cslcl1-ha1  $ ls -l
total 6
-rw-r--r--   1 test     sysadmin     250 Oct  8 21:12 local.bashrc
-rw-r--r--   1 test     sysadmin     205 Oct  8 21:12 local.cshrc
-rw-r--r--   1 test     sysadmin       0 Oct  8 21:12 local.login
-rw-r--r--   1 test     sysadmin     247 Oct  8 21:12 local.profile
-rw-r--r--   1 test     sysadmin       0 Oct 11 16:06 sample
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22695672
It sounds as if your version of chown doesn't support the "--" separator,  in which case you can allow chown without the  --   instead,  by modifying sudoers
and your command line to take out the --.

What "--"  normally means (for most commands) is that  the rest of the line contains only additional filenames,   no more command line options  like -R,
for example:
On most systems
chown myuser -- x/ -R         means chown  a file named "-R" and a directory named "x"
Whereas: chown myuser x/ -R      means chown  a directory named "x"
recursively   (chown all files and subdirs in it recursively)




A problem to keep in mind with chmod is it has no equivalent to the '-h'  option.
It means that if you give someone the ability to 'chmod'  with sudo, they can change the permissions of any file on the filesystem.

Here's an example of a bad sequence of commands:
ln -s    /etc/passwd /export/home/test/sample/mylink
sudo /bin/chmod 777 -- /export/home/test/sample/mylink


So my recommendation is not to give direct access to the 'chmod' command.

Instead use a wrapper script or write a wrapper program to be called
from sudo, implement, what you want to do and perform appropriate checks.


For example,  paste code like this into a  chmod_wrapper.c :

gcc -o chmod_wrapper chmod_wrapper.c


Then use a sudoers entry like

Cmnd_Alias      CHMOD=/usr/local/bin/chmod_wrapper [0-9][0-9][0-9] /export/home/test/[a-zA-Z0-9]*

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>
#include <errno.h>
 
#define BASE_PATH "/tmp/"
int main(int argc, char* argv[])
{
     int newmode,fd,i,j;
 
     if (argc < 1 || !argv[0] || !argv[1] || !argv[2]) {
                 fprintf(stderr, "Usage: %s <mode> <file list>\n",
                          argv[0] ? argv[0] : "");
                 exit(1);
     }
 
     newmode = strtol(argv[1], (char**)0,8);
    for(i = 2; i < argc; i++) {
          if (!argv[i] || strncmp(argv[i], BASE_PATH, strlen(BASE_PATH)))
          {
               fprintf(stderr, "Target: %s is not in" BASE_PATH"\n", argv[i]);
               goto skip_this_file;
          }
 
          for (j = strlen(BASE_PATH); argv[i][j] != '\0'; j++ ) {
               if ((argv[i][j] == '.' && argv[i][j+1] =='.')
                    || argv[i][j] == '/')
               {
                   fprintf(stderr, "Filename contains invalid characters\n");
                   goto skip_this_file;
               }
          }
 
          fd = open(argv[i], O_RDONLY | O_NOFOLLOW);
          if (fd < 0) {
               fprintf(stderr, "open(%s): %.80s\n", argv[i], strerror(errno));
               goto skip_this_file;
          }
 
          if ( fchmod(fd, newmode)  < 0 ) {
               perror("chmod");
               (void)close(fd);
          }
 
          if ( close(fd) < 0 ) {
               perror("close");
          }
 
          skip_this_file:;
    }
}

Open in new window

0
 
LVL 23

Accepted Solution

by:
Mysidia earned 500 total points
ID: 22696064
Actually;  I recommend adjusting the wrapper and using the same for chown.

the problem is  
/home/cvs/[a-zA-Z0-9]*

matches more than one might think
for instance it matches  "sudo  /usr/bin/chown  /home/cvs/A  /root/blah"

You can expand this a little

User_Alias      CVSTEST=test
Cmnd_Alias      CHOWN = /bin/chown -h test\:sysadmin -- /export/home/test/[a-zA-Z0-9]*
Cmnd_Alias     BLOCKED_CHOWN = /bin/chown -h test\:sysadmin -- * *
CVSTEST         ALL = (root)    CHOWN, !BLOCKED_CHOWN

To restrict a single  sudo'd  chown from listing containing more parameters than expected.

You can also use this technique if you later want to make certain files in the directory "not chownable"  by the users you have listed in the 'CVSTEST' user alias

0
 

Author Comment

by:p0sreed
ID: 22708343
Ok. I misunderstood the required.

Mysidia,

How can I grant users permission to do whatever they want to files inside the directory /home/cvs through Sudo?

Not only chown, chmod, also rm, mv, cp...etc
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question