sudo help

[Daniel E Singer]

On Mon, 21 Oct 2002, John Turner wrote:

 > I am trying to build a restricted sudoers file where I can give some
 > people the ability to "mv, rm, cp, chmod, chown" files but only under a
 > directory /playground. Because sudo doesn't support regular expressions
 > I am having trouble.
 >
 > So does anyone have a working sudoers file or another suggestion?
 > Note this is under Solaris 8.

Here's my suggestion, and if anyone sees security problems with it,
please point them out.  (I haven't tried this!)

Make a directory, such as /usr/playground_commands

In there, put some scripts (whichever lang. you choose) that are
wrappers for the commands you want to allow.  This can actually just
be one script with several links to it, or one script with a flag
that indicates the command.

The script will: check the current directory, carefully check command
arguments (eg, for things like ../../../home/jack/... or redirection,
etc) and the environment (maybe just setting selected env. variables
and clearing the rest), then run the command if everything is OK.

Set up the sudoers entry so that the approp. users can execute
commands in the /usr/playground_commands directory.

Note: If the commands directory goes under /playground, you'll have to
make sure that the wrappers do not allow anyone to change anything to
do with the wrappers themselves or add new scripts.  So it's maybe
easier to just put them somewhere else.

This is just thinking out loud, so again, if anyone sees holes in this
approach, please speak up.

-Dan

-- 
Daniel E. Singer, System Administrator
Dept. of Computer Science, Duke University, Durham NC 27708 USA