LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 02-20-2013, 08:01 AM   #1
johnmccarthy
Member
 
Registered: Jul 2010
Posts: 56

Rep: Reputation: 1
Smile Allow users to chmod certain directories via sudoers file


Can anyone provide an example of what I should type in the sudoers file so a specific user (example: smith) can perform a chmod on files located in /data/security/ only?

It seems when I enter smith ALL=NOPASSWD:/bin/chmod 755 /data/security/* smith can perform a chmod on any files, regardless of the directory.

A million thanks,
Johnny Mac
 
Old 02-20-2013, 08:28 AM   #2
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 750
Blog Entries: 2

Rep: Reputation: 194Reputation: 194
First you need to think about what is a file under /data/security/ ? If it has hard links to a filename in some other location then it's debatable whether the file really qualifies. You can solve this problem by having a filesystem mounted at /data/security/ and nothing mounted below it (making the filesystem and the directory tree the same thing).

Then maybe you want to combine "chroot();chdir();chmod()" into one program so that when it is called with sudo it operates on file(s) under /data/security/ by being chrooted there and has no alternative regardless of the command line provided by the user. That's what I'd call the standard way to do it for a C programmer.

There is also a thing called "posix capabilities" containing CAP_FOWNER (see http://linux.die.net/man/7/capabilities) which looks as if it will allow chmod by users other than the owner. I suspect this is a worse option than the other.
 
Old 02-20-2013, 10:49 AM   #3
johnmccarthy
Member
 
Registered: Jul 2010
Posts: 56

Original Poster
Rep: Reputation: 1
Not sure what Command to Type to mount to File System

linosaurusroot,

Sort of new to Linux. What command should I type to mount the directory as a seperate file system? Is it somthing like mount /data/security?

Take care,
John
 
Old 02-20-2013, 12:25 PM   #4
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 750
Blog Entries: 2

Rep: Reputation: 194Reputation: 194
Can you show your /etc/fstab ? And estimate the largest amount of data that might ever exist under /data/security ?
 
Old 02-20-2013, 01:01 PM   #5
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,233

Rep: Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474
Quote:
Originally Posted by johnmccarthy
It seems when I enter smith ALL=NOPASSWD:/bin/chmod 755 /data/security/* smith can perform a chmod on any files, regardless of the directory.
Right, because the way the command is parsed, you're allowing the chmod command. The arguments after it aren't getting shoveled along.
Quote:
Originally Posted by johnmccarthy View Post
linosaurusroot,
Sort of new to Linux. What command should I type to mount the directory as a seperate file system? Is it somthing like mount /data/security?
Sorry, but all that is overkill, especially if you only ever want that user to run ONE COMMAND as sudo/root, and it doesn't really address things (or users), that you may want to add in the future.

The easiest thing to do would be for you to write a very small shell script with that one command in it. Make it owned by root:root ("chown root:root /path/to/scriptname"), and permissions of 700 (rwx------) ("chmod 700 /path/to/scriptname"), so that ONLY root can run or edit it. That's it.

In sudoers, restrict them to that one command, and deny ALL OTHERS, as so:
Code:
User_Alias     LIMITEDADMINS = username
LIMITEDADMINS  ALL=(ALL) /path/to/scriptname, /path/to/scriptname2, /sbin/ifconfig
The users in the LIMITEDADMINS group will be able to run the commands listed as root, and nothing else. If the script needs an argument, just have the script read it from the command line, so the user can call it like:
Code:
sudo /path/to/scriptname someargument
...and the "someargument" will get passed to the script, which will take action on it.

If you want more users to do it in the future, just add them to the alias group. More commands? Just add another script/command (comma-separated), and you're done.

Last edited by TB0ne; 02-20-2013 at 01:05 PM.
 
Old 02-20-2013, 01:06 PM   #6
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 750
Blog Entries: 2

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by TB0ne View Post
Sorry, but all that is overkill, especially if you only ever want that user to run ONE COMMAND as sudo/root .....
LIMITEDADMINS ALL=(ALL) /usr/local/bin/scriptname

He doesn't want them to run only one command. He wants them to chmod files under one directory. Once you put "chmod $1 $2" kind of thing in that script you are doomed.
 
Old 02-20-2013, 01:13 PM   #7
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,233

Rep: Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474
Quote:
Originally Posted by linosaurusroot View Post
He doesn't want them to run only one command. He wants them to chmod files under one directory.
...which is ONE COMMAND. The OP posted " can perform a chmod on files located in /data/security/ only?". So, since they only want to perform ONE operation on ONE location....
Quote:
Once you put "chmod $1 $2" kind of thing in that script you are doomed.
Please explain why. Yes, if you just shove that into a script it's a bad thing. If you write the script properly (that is, to check for the path name and/or hard code it in), then the user won't be able to chmod ANY files...just the ones allowed, which solves the problem. In this case, the OP very clearly states that they only want to chmod files located in /data/security. So, part of the script would be:
Code:
chmod /data/security/$1
Which will take only one argument (a file name), and chmod it. Putting in "/etc/sudoers" would then expand to "/data/security/etc/sudoers"...which is invalid, and won't work. A symbolic link from /etc/sudoers to /data/security/sudoers won't work, since the chmod doesn't change the SOURCE file, only the symlink, so they won't magically get rights to sudoers that way.
 
Old 02-20-2013, 01:55 PM   #8
johnmccarthy
Member
 
Registered: Jul 2010
Posts: 56

Original Poster
Rep: Reputation: 1
linosaurusroot

linosaurusroot,

Here you go:
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/VolGroup00/LogVol01 swap swap defaults 0 0
 
Old 02-20-2013, 05:14 PM   #9
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 750
Blog Entries: 2

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by johnmccarthy View Post
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1
OK so with that layout you'll be wanting an ext3-formatted loopback file present on the root partition mounted at /data/security/ .

Code:
#!/bin/sh

umask 022
cd /data/ || exit
[ -d security ] || exit

if [ ! -f storage.ext3 ]
then
    dd if=/dev/zero of=storage.ext3 bs=1M count=100
    chmod 0600 storage.ext3
    mkfs.ext3 -F /data/storage.ext3
fi
[ -d /mnt/ds ] || mkdir -p /mnt/ds
mount -o loop /data/storage.ext3 /mnt/ds || exit
(cd /data/security && tar cf - .) | (cd /mnt/ds && tar xvf -)
umount /mnt/ds
mv -i security OLD-security
mkdir security
mount -o loop /data/storage.ext3 /data/security
and add line to your /etc/fstab for that.
Code:
/data/storage.ext3 /data/security ext3 defaults,loop 1 2
 
Old 02-20-2013, 05:41 PM   #10
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 750
Blog Entries: 2

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by TB0ne View Post
...which is ONE COMMAND. The OP posted " can perform a chmod on files located in /data/security/ only?". So, since they only want to perform ONE operation on ONE location....
We may have been interpreting this differently with
Code:
smith ALL=NOPASSWD:/bin/chmod 755 /data/security/*
meaning either "sudo /bin/chmod 755 /data/security/*" (literally one command) or "sudo /bin/chmod 755 /data/security/foo-bar-and-whatever-chosen-by-the-user" (choice of target but under that directory, possibly in a subdirectory) .

Quote:
Please explain why. Yes, if you just shove that into a script it's a bad thing. If you write the script properly (that is, to check for the path name and/or hard code it in), then the user won't be able to chmod ANY files...just the ones allowed, which solves the problem. In this case, the OP very clearly states that they only want to chmod files located in /data/security. So, part of the script would be:
Code:
chmod /data/security/$1
Which will take only one argument (a file name), and chmod it. Putting in "/etc/sudoers" would then expand to "/data/security/etc/sudoers"...which is invalid, and won't work. A symbolic link from /etc/sudoers to /data/security/sudoers won't work, since the chmod doesn't change the SOURCE file, only the symlink, so they won't magically get rights to sudoers that way.
I'll take it for granted you're testing the name and excluding parent directories (such as "/data/security/" + "../../etc/shadow" meaning "/etc/shadow").

I think you're assuming that only root has write access in /data/security/ (but we've not been told that by OP). If smith (or an accomplice or even an innocent user) writes there you have the possibility of something in that directory being a symbolic link to something outside the directory. It could even become this while the script is running (which is a race condition - what a C programmer might tackle with fchmod()).

I've just tested and chmod does follow symlinks on my system.
 
Old 02-20-2013, 06:04 PM   #11
Mol_Bolom
Member
 
Registered: Nov 2008
Location: S.W. Kansas
Distribution: Slackware64 14.0
Posts: 219
Blog Entries: 2

Rep: Reputation: 41
What about
test -f ${1/*\/} && chmod /specific/directory/here/${1/*\/}

Although, I'm not too knowledgeable on this, but I presume this wouldn't allow any links nor any directories to be modified, as well as would keep anyone from modifying anything in any sub directories.
 
Old 02-20-2013, 06:32 PM   #12
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 750
Blog Entries: 2

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by Mol_Bolom View Post
What about
test -f ${1/*\/} && chmod /specific/directory/here/${1/*\/}

Although, I'm not too knowledgeable on this, but I presume this wouldn't allow any links nor any directories to be modified, as well as would keep anyone from modifying anything in any sub directories.
The test and chmod occur at different times so if someone replaces the file by a symlink at just the right time you've got trouble.

What you'd do in C is open() the file (using its name) then test the file descriptor you had that it was the right one and finally do fchmod() on the descriptor (you don't care about the name at this stage).
 
Old 02-20-2013, 06:53 PM   #13
Mol_Bolom
Member
 
Registered: Nov 2008
Location: S.W. Kansas
Distribution: Slackware64 14.0
Posts: 219
Blog Entries: 2

Rep: Reputation: 41
Quote:
Originally Posted by linosaurusroot View Post
The test and chmod occur at different times so if someone replaces the file by a symlink at just the right time you've got trouble.
Ah! Read something similar to that not long ago, just took me one more time reading it (here) to finally get it.

Also, just ran a few tests and found that even using "test -f", for some odd reason, still chmod'ed the linked file.


Quote:
What you'd do in C is open() the file (using its name) then test the file descriptor you had that it was the right one and finally do fchmod() on the descriptor (you don't care about the name at this stage).
After reading and trying all that, then I would have to say writing a specific program seems the safest way to implementing something like this.
 
Old 02-20-2013, 11:17 PM   #14
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,246

Rep: Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025
Going back to the original qn, it seems to always be the same cmd for the same target(s).
How about inotify/inotifywait instead?
http://linux.die.net/man/7/inotify
http://linux.die.net/man/1/inotifywait

Alternately, how about changing the program that creates/moves/copies the file, to set the perms when it does so.
 
Old 02-21-2013, 11:44 AM   #15
johnmccarthy
Member
 
Registered: Jul 2010
Posts: 56

Original Poster
Rep: Reputation: 1
Smile Resolved

Please allow me to begin with saying that this site has renewed my faith in the community involvement whose charter is to help others when possible. I think each of your comments above are extrodinary and well thought out along with your constructive critisism many will benefit from those who view this thread. After much thought and consdieration I have decided to implemnet a simple and secure resolution. I have created a script that directs the changes I would have executed if I was at the console. This script can be executed by the general user after performing the sudo command and providing the path and respective script. This script is 700, and located in a folder which the general user can not view (thus not modify).

If I could share the points/credit for solving this problem to all those who replied I would, since each solution would work but based on my limited skill-set and security factors I have implemented TB0ne concept. Going forward I hope to improve my Linux Skills and share everything I know.

Take care,
Johnny Mac
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] After modifying /etc/sudoers file, new users can not run specified commands mansour Linux - Newbie 15 04-13-2011 11:04 AM
[SOLVED] Can't chmod /etc/sudoers file cola Linux Mint 2 05-22-2010 05:13 AM
chmod 775 to only the directories and chmod 664 to only the files? apachenew Linux - Security 6 09-27-2007 03:26 PM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 05:03 PM
How to copy one file in all users directories aizkorri Programming 1 09-02-2002 07:32 AM


All times are GMT -5. The time now is 06:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration