Security – sudo chown – prevent ../

redhatSecuritysudo

Need to allow a user to chown files under a particular directory using sudo.
This does the trick:

user1 ALL= NOPASSWD: /bin/chown -[RPfchv] user2\:user2 /opt/some/path/[a-zA-Z0-9]*

But, does not prevent the user from being sneaky and doing something like:

[user1@rhel ~] sudo /bin/chown -v user2:user2 /opt/some/path/../../../etc/shadow

Any way to protect from this?
Machine is running Linux (Red Hat)

Best Answer

sudo introduces inherent security risks and it is generally ill advised to give to users that don't have high levels of trust.

Why not limit simply to recursive chown for the parent directory?

sudoers primarily uses globbing. According to the manpage, it doesn't match / on wildcards. More details in the manpage.

As far as a more advanced solution, a script should do the trick.

[root@server wmoore]# egrep '^wmoore' /etc/sudoers
wmoore ALL= NOPASSWD: /bin/chown -[RPfchv] wmoore\:wmoore /home/wmoore/[a-zA-Z0-9]*

[wmoore@server ~]$ sudo -l
User wmoore may run the following commands on this host:
    (root) NOPASSWD: /bin/chown -[RPfchv] wmoore:wmoore /home/wmoore/[a-zA-Z0-9]*

[wmoore@server ~]$ sudo chown -R wmoore:wmoore /home/wmoore/../../tmp/test
Sorry, user wmoore is not allowed to execute '/bin/chown -R wmoore:wmoore /home/wmoore/../../tmp/test' as root on server.

Oh, right. sudo package:

Name        : sudo                         Relocations: (not relocatable)
Version     : 1.6.9p17                          Vendor: CentOS
Release     : 3.el5_3.1                     Build Date: Tue 24 Mar 2009 07:55:42 PM EDT

CentOS5.

Related Topic