grant access to a command only for certain arguments (chown for a path)

I have a script that require to change the owner recursively in a folder

there is my specific sudoers file: /etc/sudoers.d/jenkins

jenkins ALL=(ALL) NOPASSWD: /bin/chmod, /bin/chown

and this is the command that jenkins need to execute:

chown -R apache:apache /var/www/vhosts/${HOST}/${PROJECT}

for security reasons, i need to restrict the sudo permissions only for chown with argument /var/www/vhosts/***

there are some regex in sudoers file to do this?

permissions
sudo
jenkins
sudoers

Antonio Fernandez

Posted 2019-04-17T13:01:23.133

Reputation: 3

Answers

Yes, you can use wildcards:

jenkins ALL=(ALL) NOPASSWD: /bin/chown -R apache:apache /var/www/vhosts/*

Though it's probably safer from a security perspective to write your own script so that you can validate arguments and ensure that only exactly the paths you want to affect are affected:

jenkins ALL=(ALL) NOPASSWD: /usr/local/bin/my-custom-chown-script

jayhendren

Posted 2019-04-17T13:01:23.133

Reputation: 378