I'm trying to set up the sudoers file to allow users to chown files only under a certain directory
for example
%hmis ALL=/bin/chown eng:hmis /usr/lib/bogimac/bsc/*
is not good because hackers can do the following:
sudo chown eng:hmis /usr/lib/bogimac/bsc/xctrl.py /etc/important_file
Does anyone know how to prevent this?
Thanks
Even if you solve your immediate problem, someone could still type...
sudo chown eng:hmis /usr/lib/bogimac/bsc/../../../etc/shadow
Or any other permutation of the above. sudo isn't really the right tool for this sort of restriction. If you really need to delegate the ability to change ownership in a specific hierarchy like this, then your best bet is probably to write a simple wrapper script in your favorite high-level scripting language that iterates over its path arguments, sanitizes them, and checks them against a list of allowed prefixes.
Thanks for your answer, I hadn't thought of that. Since I only need to use the chown command for this particular command:
chown eng:hmis /usr/lib/bogimac/bsc/*
I decided to make a shell script to be run only by root and then allow that command to be run in sudo, see Limit sudo to only one directory and it's subdirectories by sudoers file
We've implemented the following which seems to work
Cmnd_Alias EDIT = /bin/rvi /usr/lib/bogimac/bsc/*, \
!/bin/rvi /usr/lib/bogimac/bsc/* *, \
!/bin/rvi /usr/lib/bogimac/bsc/*..*
