Linux – using wildcards for paths in sudoers file

linuxsudowildcard

I'm trying to set up the sudoers file to allow users to chown files only under a
certain directory

for example

%hmis    ALL=/bin/chown eng:hmis /usr/lib/bogimac/bsc/*

is not good because hackers can do the following:

sudo chown eng:hmis /usr/lib/bogimac/bsc/xctrl.py /etc/important_file

Does anyone know how to prevent this?

Thanks

Best Answer

Even if you solve your immediate problem, someone could still type...

sudo chown eng:hmis /usr/lib/bogimac/bsc/../../../etc/shadow

Or any other permutation of the above. sudo isn't really the right tool for this sort of restriction. If you really need to delegate the ability to change ownership in a specific hierarchy like this, then your best bet is probably to write a simple wrapper script in your favorite high-level scripting language that iterates over its path arguments, sanitizes them, and checks them against a list of allowed prefixes.

Related Solutions

Security – sudo chown – prevent ../

sudo introduces inherent security risks and it is generally ill advised to give to users that don't have high levels of trust.

Why not limit simply to recursive chown for the parent directory?

sudoers primarily uses globbing. According to the manpage, it doesn't match / on wildcards. More details in the manpage.

As far as a more advanced solution, a script should do the trick.

[root@server wmoore]# egrep '^wmoore' /etc/sudoers
wmoore ALL= NOPASSWD: /bin/chown -[RPfchv] wmoore\:wmoore /home/wmoore/[a-zA-Z0-9]*

[wmoore@server ~]$ sudo -l
User wmoore may run the following commands on this host:
    (root) NOPASSWD: /bin/chown -[RPfchv] wmoore:wmoore /home/wmoore/[a-zA-Z0-9]*

[wmoore@server ~]$ sudo chown -R wmoore:wmoore /home/wmoore/../../tmp/test
Sorry, user wmoore is not allowed to execute '/bin/chown -R wmoore:wmoore /home/wmoore/../../tmp/test' as root on server.

Oh, right. sudo package:

Name        : sudo                         Relocations: (not relocatable)
Version     : 1.6.9p17                          Vendor: CentOS
Release     : 3.el5_3.1                     Build Date: Tue 24 Mar 2009 07:55:42 PM EDT

CentOS5.

Php – Apache sudoers access

visudo

add

nobody ALL=(ALL)NOPASSWD:/usr/bin/perl

replace nobody with whatever your apache user is.

But you shouldn't do that. Giving apache sudo access to perl essentially gives anyone instant root to your box who compromises a php application of yours.

You should check the umask for /tmp/newxml.xml and make sure it's writeably by your apache user.

Best Answer

Related Solutions

Security – sudo chown – prevent ../

Php – Apache sudoers access

Related Topic