LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-22-2007, 07:08 AM   #1
Bogdan
Member
 
Registered: May 2001
Location: Belarus
Distribution: Debian
Posts: 120

Rep: Reputation: 15
chown delegation to user in some directory


Hi all. I have web software that need to create dirs in ftp root and change their owners.
webapp runs as: user1
ftp root owner: user2
and some virtual users (representedd as UIDs)
I create dirs with sudo: user1 ALL=(user2) NOPASSWD: /bin/mkdir
And call it as: sudo mkdir /home/user2/virtualuserdir1 - and it works.
But I need some way to do "chown 1222.1222 /home/user2/virtualuserdir1"
This way, I need to execute chown as root and only in /home/user2/
I need advice how to do this...
 
Old 02-22-2007, 10:09 AM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,007
Blog Entries: 5

Rep: Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783
If it were me I'd put in a script that used the directory as a variable but tested the directory path to be sure it was in the user controlled directory. I'd then put both the mkdir and the chown in that script and tell sudo to access the script intead of the command.
Of course you should make sure the script you write only has permissions for root (since sudo will run it as root anyway).

Giving users "chown" is very dangerous (what if they make a file that contains "su -" then do "chown 4755" on the file. That would make the file a script that becomes the root user and allow anyone to execute it. Doing what I wrote above would minimize this.

I once worked at a place where the brain dead admin that worked on it gave users access to things like "sudo chown", "sudo vi" etc... I asked him why he didn't just remove the root password from the system since it would have the same effect.
 
Old 02-22-2007, 03:20 PM   #3
Bogdan
Member
 
Registered: May 2001
Location: Belarus
Distribution: Debian
Posts: 120

Original Poster
Rep: Reputation: 15
Thanx. I was about to start coding suid binary for this purpose, but looks like script under sudo will enough. I'll test there, if argument it is a directory. However, youe example will not work because suid scripts are imposible in linux AFAIK - at least suid interpreter required. But if user will upload binary backdoor and suid'em - it will be really bad, so - directory only, it seems to be secure, if I'l check path well.
 
Old 02-22-2007, 04:20 PM   #4
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,007
Blog Entries: 5

Rep: Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783Reputation: 783
Well I wasn't suggesting you actually create an suid script - just using it as an example of a hack if you gave someone chmod.

I wasn't aware suid script wouldn't run in Linux. I just tested it and got "Memory Fault" every time. On UNIX I don't get that.

But as said - best to go with the script.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chown command giving invalid user ServerStorm Linux - Software 6 03-23-2010 02:42 AM
chown-ing all files on a drive owned by one user. nkoplm Linux - General 1 10-26-2006 06:20 AM
script to untar a .gz file and then chown it for a user?? dsids Linux - Newbie 2 08-23-2006 12:42 AM
/dev/scd0 chown to console user? gmasci Linux - General 0 03-11-2003 12:48 PM
chown -R $USER /usr/src/redhat illtbagu Linux - Newbie 8 01-21-2003 01:36 PM


All times are GMT -5. The time now is 11:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration