2

One of our users who has sudo privileges to multiple non-root users (role accounts for use with particular projects) would like to be able to change ownership of files among those users: e.g., if sudoers looks like

jane ALL=(widget-dev,releng) ALL
jane ALL=(root) rchown

then the user "jane" could use the hypothetical "rchown" (for "restricted chown") utility on files owned by any of jane, widget-dev, and releng to give them to any of those users.

I haven't been able to find an existing utility that does this. One of our users is asking for it and it seems like a reasonable thing to want, but I figured I would ask here and solicit war stories and dire warnings of security nightmares before I dive into writing (two bad ideas)

  1. yet another config file parser
  2. to be run as root.

Edited to add another worry about the logic: we only really want to do this for cases where the user can run ALL commands as the target user... right? Maybe it's never been implemented because it gets bogged down in such thoroughly site-specific questions.

Aaron D. Ball
  • 33
  • 1
  • 8
  • Can you tell me why you wouldn't want to do this with ACLs on the filesystem? – Zoredache Mar 22 '11 at 00:01
  • Zoredache is pointing you in the right direction (if your FS supports ACLs, use 'em!). Otherwise there's no utility I'm aware of -- you'll need to write one (I suggest a perl script that wraps chown: config parsing will be handled for you, and it's relatively easy to write...) – voretaq7 Mar 22 '11 at 02:39
  • Zoredache, how exactly would you solve this problem with ACLs? POSIX.1 ACLs do not let you specify permission to change the owner of a file. (We don't use POSIX ACLs much---ordinary Unix permissions work for nearly everything, and ACLs continue to be a hassle to get working consistently in our mixed NFS and CIFS environment.) – Aaron D. Ball Mar 22 '11 at 18:29
  • If you're suggesting that we just not change the owner, and instead grant permissions to the other users with ACLs, yes, that's a workaround for the problem. We'd probably just make a group instead. But I'm interested in the problem as specified. – Aaron D. Ball Mar 22 '11 at 18:32

1 Answers1

1

You could do this directly with sudo. When I first started thinking about how to do that, I quickly realized that the number of chowns you would have to specify for n users would be n^2 if you try to map them directly. But you can cut this down to 2n if you require the user to take ownership of each file before re-assigning it. So, your sudoers file might look like this:

User_Alias CHOWNADMIN1 = jane
Cmnd_Alias CHOWNUSR1 = /bin/chown --from widget-dev jane *, /bin/chown --from jane widget-dev *
Cmnd_Alias CHOWNUSR2 = /bin/chown --from releng jane *, /bin/chown --from releng amy *

CHOWNADMIN1     ALL= NOPASSWD: CHOWNUSR1, CHOWNUSR2

With this setup, Jane can now do a two-step process to change ownership:

chown --from widget-dev jane /tmp/foofile
chown --from jane releng /tmp/foofile

Notice that you must restrict this permission with --from, or you open up the possibility of granting the user "jane" the permission to take ownership of files like /etc/shadow or /root/.ssh/id_rsa (that could be bad).

Of course, you could now write a very simple script to automate the chowns. Perhaps something like the following, but with some error checking:

#!/bin/bash
FROM=$1
shift
TO=$1
shift

sudo chown --from $FROM $USER $*
sudo chown --from $USER $TO $*

And now Jane can run "rchown releng widget-dev /tmp/foofile" or similar.

grep
  • 206
  • 1
  • 2