| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
Several helpful answers/suggestions:- 1/ Via a shell script or some other means, chroot the sudo session to the directory tree in question first. This means you'll need a /bin/sh in the chrooted tree, or course. You'll also need the chmod and chown commands in the chroot environment, and any libraries they depend on, and possible also device nodes. This would definitely work, but requires quite a lot of support infrastructure, and is a little untidy. 2/ Write a wrapper script around chmod and chown. Downsides of this are that people can do things like:- cd /safe/directory cp /bin/bash . sudo scriptedchown root:root /safe/directory/bash sudo scriptedchmod 4755 /safe/directory/bash /safe/directory/bash So, to be secure, the wrapper would have to ensure that the path was under the safe directory (to avoid any /path/../etc/passwd tricks), and would probably need to enforce certain limitations (maybe can't chown *to* root, no suid bit). Awkward to actually get genuine security out of it. 3/ Use of chattr was also suggested, but short of making lots of stuff immutable would be difficult to deal with. 4/ Lastly, and not actually what I was after originally, there was the suggestion that I use ACL's. After considering all the other options that are suggested, I'm coming around to this rather more - while it does involve a level of complexity I was hoping to avoid, it seems to offer the cleanest and most elegant solution to the problem. Doing this requires a filesystem that supports ACL's, and also requires that one's backup strategy backs up ACL info. As it happens, the machines I'd want to implement this on are running XFS, and being backed up with xfsdump, so both of these pre-requisites are satisfied in my case. After considering all the options, I'll certainly be spending some time looking into the ACL option, as combining this with sudo seems to offer the best compromise on delegating partial root authority without giving away the farm. It doesn't solve all the problems, but does avoid at least some of the situations where I'd like to provide chown and chmod to non-root users. Thanks to D. Stimits, Evan Cofsky, Jason Price, Christian Miller, Madhu Muchalambkar and V.Saravanan. Mike. > Hi, > > I run several systems, and in an effort to stop admin people logging in > as root too frequently, I have implemented sudo so junior admins can > have the access they need to do their job without needing the root > password (which makes me nervous). > > However, I'd like to be able to provide access to chmod and chown > through sudo, but only for files within a certain directory tree. They > need to be able to change ownership, but I obviously don't want them to > be able to execute chown as root on any arbitrary file. It's not > immediately obvious how to achieve this with sudo, and I was wondering > if anyone has don anything similar, and what they've used to retain some > security. > > Mike. > _______________________________________________ > LinuxManagers mailing list - http://www.linuxmanagers.org > submissions: LinuxManagers@linuxmanagers.org > subscribe/unsubscribe: http://www.linuxmanagers.org/mailman/listinfo/linuxmanagers _______________________________________________ LinuxManagers mailing list - http://www.linuxmanagers.org submissions: LinuxManagers@linuxmanagers.org subscribe/unsubscribe: http://www.linuxmanagers.org/mailman/listinfo/linuxmanagers
[Home] [Kernel List] [Linux SCSI] [Video 4 Linux] [Linux Admin] [Yosemite News] [Motherboards]