Sudo or user permissions?

mohrct · 10-10-2007, 03:11 AM

Hello,

I'm working on a program in a shared environment on CentOS that needs to copy files to multiple users home directories, and have them owned by the respective users.

The way I'm doing it now is with sudo...I did something like this:
chris ALL=(root) NOPASSWD: ALL

then in my code I do something like:
sudo cp files /home/other_user/files
sudo chown -R other_user /home/other_user/files
sudo chgrp -R other_user /home/other_user/files

Unfortunately though...I had a bit of a bug in my code, and I ended up running:
sudo chown -R other_user /

Needless to say, this caused some serious problems.

How can I set this up so it's safer?...can I limit my access in the sudoers file?

Thanks,
Chris

Disillusionist · 10-10-2007, 04:41 AM

You can set limits on what you can do with sudo, however you have currently set it to ALL which means you can run anything.

You can modify what sudo allows users to do using `visudo`

Be very careful when modifying entries!

I normally suggest:

Dont run visudo using sudo
Keep a running root session whilst you test (in case you need to fix any mistakes)

If you want to restrict use of vi, then you would have a sudoers file containing something like:

Code:

root ALL=(ALL) ALL

my_user ALL=(ALL) ALL, !/usr/bin/vi

chrism01 · 10-10-2007, 07:15 AM

BTW, you can change owner and group in one cmd:
chown [flags] other_user

ther_grp file-list

almatic · 10-10-2007, 08:02 AM

Quote:

Originally Posted by mohrct

The way I'm doing it now is with sudo...I did something like this:
chris ALL=(root) NOPASSWD: ALL

you can restrict the user chris to only execute your program as root with the following line instead of yours.

chris ALL=NOPASSWD: /path/to/your/program

you could also use the suid flag.

chown root /path/to/your/program && chmod u+s /path/to/your/program.

In both cases you should not need 'sudo' in your commands. With the setuid method, all users will be able to execute your program as root while the sudoers method restricts that to user chris.

mohrct · 10-10-2007, 03:13 PM

Thanks for the feedback...but it still doesn't seem to be the solution I'm after.

Instead of limiting access to what programs can be run with sudo...is it possible to limit which files I can chown?

Or is there a better way of doing this?

My script will always be run as the same user by a webserver, and needs to create files in other users home directories. Then lastly, change the owner, and group to that other user.

What I am doing now works...but seems unsafe.
Essentially running cp and chown with root priveleges, which allows me to do things like 'chown -R user /'...

I'd like to limit it...so that I can only do chowing to folders in /home. And further...there are certain user folders in /home that I would like to exclude as well.

Thanks,
Chris

Disillusionist · 10-10-2007, 03:40 PM

The only way I know would be to perform checks on the variable you are using to store the home directory.

Example code:

Code:

###
### Example shell script to copy files to users home directories
### and change the permissions
###

##l_user= code for selecting the user here
l_home_dir=`grep '^$l_user:' /etc/passwd|cut -d':' -f6`

l_chk_home=`echo "$l_home_dir"|grep '^/home/'|wc -l`
if [ $l_chk_home -gt 0 ]
then
   ###
   ### users home dir is in /home
   ### safe to continue?
   ###
   # code to copy files and change permissions here.
fi