sudo help

Stephen Schaefer ncsa-discussion@ncsysadmin.org
Mon, 21 Oct 2002 09:42:09 -0700 (PDT) 

If I understand you correctly, you want these folks to
be able to do, as root

/bin/mv /playground/<foo> /playground/<bar>
/bin/rm /playground/<rfoo>
/bin/cp /playground/<foo> /playground/<bar>
/bin/chmod 7777 /playground/<foo>
/bin/chown <user> /playground/<foo>

but not other things.

I have an important question: are these restrictions
intended to be gentle reminders to honest folks not to
exceed their authority, are are they supposed to be
serious deterrents to malefactors?

If the former, then sudo is more appropriate.  If the
latter, you're going to have to work a bit harder.
Supposed we compose syntax to implement your intent
(no, the above summary is not it).  Nothing then
prevents this series of commands:

% sudo /bin/chmod 777 /playground/.
% cp /bin/cp /playground/cp
% sudo /bin/chmod root /playground/cp
% sudo /bin/chmod 4555 /playground/cp
% /playground/cp myHackersShadowFile /etc/shadow

(I would have put /bin/sh in the playground and suid'd
it, but most shells these days refuse to run suid, as
an attempt to defend against just such an attack; the
vast majority of utilities, e.g., cp, have no such
safeguards.)

A real deterrent will need to chroot into /playground.
chroot environments are tedious to put together, but
you may be able to leverage the work described in

http://www.linuxorbit.com/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=538&page=1

Good luck,

    - Stephen

-- John Turner <jdturner@nc.rr.com> wrote:
> I am trying to build a restricted sudoers file where
> I can give some 
> people the ability to "mv, rm, cp, chmod, chown"
> files but only under a 
> directory /playground. Because sudo doesn't support
> regular expressions 
> I am having trouble.
> 
> So does anyone have a working sudoers file or
> another suggestion?
> Note this is under Solaris 8.
> 
> Thanks,
> John
> 
> _______________________________________________
> ncsa-discussion mailing list
> ncsa-discussion@ncsysadmin.org
>
http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/