Limit sudo to only one directory and it's subdirectories by sudoers file

Question

So I would like to limit Apache to only change permissions in a certain folder and all of it's sub-directories, so this is what I have in my sudoers file

apache ALL= (ALL) NOPASSWD: /bin/chmod -R [g+ws] /var/www/sites/[a-z]+

But that does not appear to work. I sure I could get it to work by removing the restriction on the subfolder, but that seems dangerous as it would give a potential hacker unlimited access.

So is there a way to limit apache to only change files and folders within the "sites" folder or am I stuck giving unlimited access with chmod / chown?

Are there any big security holes using this approach?

You might be asking the wrong question -- **WHY** do you want to do what you're asking -- what problem are you trying to solve? There's almost always a better way than letting Apache (a server that the whole world interacts with) do *anything* as root. (See also Michael Lowman's comment below.) — voretaq7, Jun 17 '11 at 20:08
Apache should already own it's directories. Why do you need to give it sudo permissions? — Aaron Copley, Jun 17 '11 at 20:51
I just looked at what you are trying to do, again. I think you could accomplish what you want by setting the umask in Apache's init script. This would be infinitely better than giving Apache sudo. — Aaron Copley, Jun 17 '11 at 21:04
I'm trying to make a control panel for SVN. When a user does "svn up" is sets incorrect permissions and owner / group. Users also upload files into the folder and the sticky bit gets lost. So things become a mess so I want a "reset permissions" button that users can use via a web interface to make things all better. — SeanDowney, Jun 20 '11 at 17:15

score 3 · Accepted Answer · answered Jun 17 '11 at 20:01

3

It's probably better to make the chmod command a shell script to be only run by root and then allow that command to be run in sudo.

answered Jun 17 '11 at 20:01

Mike

21,910
7
55
79

You might also want to look into ensuring that the files are set correctly upon creation; check the [umask](http://en.wikipedia.org/wiki/Umask) if you're unfamiliar with it. – Michael Lowman Jun 17 '11 at 20:04
Seems like a much safer way to approach this – SeanDowney Jun 17 '11 at 20:05

score 3 · Answer 2 · edited Jun 16 '13 at 19:13

3

Ok, So apparently this does not use full regular expressions which I was expecting, a regular star did the trick:
apache ALL= (ALL) NOPASSWD: /bin/chmod -R [go]+ws /var/www/sites/*

This is very dangerous. It will open vulnerability in your server . What happen if a user manage to run chmod -R g+w /var/www/sites/../../../../etc/shadow?

edited Jun 16 '13 at 19:13

Mike

125
1
1
6

answered Jun 17 '11 at 20:03

SeanDowney

187
1
1
10

Limit sudo to only one directory and it's subdirectories by sudoers file

2 Answers2

Linked