sudo help

John Turner ncsa-discussion@ncsysadmin.org
Mon, 21 Oct 2002 13:30:47 -0400 

My plan was not to let them chown to anyone outside a certain list. So  
they could not chown root.
But your point is taken and I have thought about chroot.

John

On Monday, October 21, 2002, at 12:42 PM, Stephen Schaefer wrote:

> If I understand you correctly, you want these folks to
> be able to do, as root
>
> /bin/mv /playground/<foo> /playground/<bar>
> /bin/rm /playground/<rfoo>
> /bin/cp /playground/<foo> /playground/<bar>
> /bin/chmod 7777 /playground/<foo>
> /bin/chown <user> /playground/<foo>
>
> but not other things.
>
> I have an important question: are these restrictions
> intended to be gentle reminders to honest folks not to
> exceed their authority, are are they supposed to be
> serious deterrents to malefactors?
>
> If the former, then sudo is more appropriate.  If the
> latter, you're going to have to work a bit harder.
> Supposed we compose syntax to implement your intent
> (no, the above summary is not it).  Nothing then
> prevents this series of commands:
>
> % sudo /bin/chmod 777 /playground/.
> % cp /bin/cp /playground/cp
> % sudo /bin/chmod root /playground/cp
> % sudo /bin/chmod 4555 /playground/cp
> % /playground/cp myHackersShadowFile /etc/shadow
>
> (I would have put /bin/sh in the playground and suid'd
> it, but most shells these days refuse to run suid, as
> an attempt to defend against just such an attack; the
> vast majority of utilities, e.g., cp, have no such
> safeguards.)
>
> A real deterrent will need to chroot into /playground.
> chroot environments are tedious to put together, but
> you may be able to leverage the work described in
>
> http://www.linuxorbit.com/ 
> modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=5 
> 38&page=1
>
> Good luck,
>
>     - Stephen
>
> -- John Turner <jdturner@nc.rr.com> wrote:
>> I am trying to build a restricted sudoers file where
>> I can give some
>> people the ability to "mv, rm, cp, chmod, chown"
>> files but only under a
>> directory /playground. Because sudo doesn't support
>> regular expressions
>> I am having trouble.
>>
>> So does anyone have a working sudoers file or
>> another suggestion?
>> Note this is under Solaris 8.
>>
>> Thanks,
>> John
>>
>> _______________________________________________
>> ncsa-discussion mailing list
>> ncsa-discussion@ncsysadmin.org
>>
> http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
>
>
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
> _______________________________________________
> ncsa-discussion mailing list
> ncsa-discussion@ncsysadmin.org
> http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
>