I'm trying to set up the sudoers file to allow users to chown files only under a
certain directory
for example
%hmis ALL=/bin/chown eng:hmis /usr/lib/bogimac/bsc/*
is not good because hackers can do the following:
sudo chown eng:hmis /usr/lib/bogimac/bsc/xctrl.py /etc/important_file
Does anyone know how to prevent this?
Thanks
Best Answer
Even if you solve your immediate problem, someone could still type...
Or any other permutation of the above.
sudo
isn't really the right tool for this sort of restriction. If you really need to delegate the ability to change ownership in a specific hierarchy like this, then your best bet is probably to write a simple wrapper script in your favorite high-level scripting language that iterates over its path arguments, sanitizes them, and checks them against a list of allowed prefixes.