What is a safe alternative to wildcards in /etc/sudoers?

Question

In the /etc/sudoers file on my Red Hat server, I have this line:

%webdevgroup ALL=NOPASSWD: /bin/chmod * /home/http/*

This is clearly a bad idea, since someone could do something like this:

sudo /bin/chmod 777 /home/http/../../etc/sudoers

Is there a safer way to achieve this functionality without opening the server up to this security hole?

Why don't you create several groups and add users to a certain group? — 030, Nov 07 '14 at 19:33
Use filesystem ACLs so users don't have to run `chmod 777`. BTW, `chmod 777` is evil, you almost certainly don't want that, if want a half-way secure system. — Zoredache, Nov 07 '14 at 19:34
utrecht: That doesn't solve the problem of an untrusted user needing to run this command. — Zach, Nov 07 '14 at 19:36

score 1 · Answer 1 · edited Apr 13 '17 at 12:14

1

If I understand your problem correctly, you want to give rights to webdevgroup on the directory /home/http/*

ACL is a good option, but you can also have a look at setgid : What's the purpose of setgid directory?

edited Apr 13 '17 at 12:14

Community

answered Jan 20 '17 at 10:30

bgtvfr

1 Answers1