Adding elevated permissions to scripts in a directory

Anything is a potential security vulnerability. Two things:

First of all, are you sure it needs root? Why? Can you do that with capabilities instead? (You probably can.)

That being said, your example is almost spot-on. Add an asterisk after the path:

Cmnd_Alias WEB_COMMANDS = /path/to/scripts/*

And now it will work. But beware, if any of those scripts can be modified by an attacker, the attacker gains FULL ROOT ACCESS. They can simply exec('/bin/bash') and have a shell. Definitely go the capabilities route per script if possible, and DEFINITELY lock down the script directory either way. See this unix.se answer for info on managing capabilities with scripts.

Duncan X Simpson

Posted 2018-03-09T14:33:08.883

Reputation: 1 171

Thanks for your advice. The library these scripts need to talk to is adamant that elevated permissions are required. I will check the capabilities info though in case that does turn out to work. If not, would it be sufficient to set the scripts' owner to root and permissions to 755 to prevent anyone from modifying them? – Sam Hastings – 2018-03-09T15:14:10.080

Tried upvoting your answer but can't do so with less than 15 reputation :-) – Sam Hastings – 2018-03-09T15:21:41.433

@SamHastings I'd say 755 is too open. Consider everything those scripts do. Could it be problematic if it were run when they weren't supposed to? I'd say unless you know you need more open access, 0700. I typically will do 0775 or 0770, but when I'm dealing with passwordless sudo I tend to be extra paranoid. – Duncan X Simpson – 2018-03-09T15:45:31.207

Adding elevated permissions to scripts in a directory

Answers