Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
02-22-2007, 07:08 AM
|
#1
|
|
Member
Registered: May 2001
Location: Belarus
Distribution: Debian
Posts: 120
Rep: 
|
chown delegation to user in some directory
Hi all. I have web software that need to create dirs in ftp root and change their owners.
webapp runs as: user1
ftp root owner: user2
and some virtual users (representedd as UIDs)
I create dirs with sudo: user1 ALL=(user2) NOPASSWD: /bin/mkdir
And call it as: sudo mkdir /home/user2/virtualuserdir1 - and it works.
But I need some way to do "chown 1222.1222 /home/user2/virtualuserdir1"
This way, I need to execute chown as root and only in /home/user2/
I need advice how to do this...
|
|
|
|
|
02-22-2007, 10:09 AM
|
#2
|
|
Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,644
|
If it were me I'd put in a script that used the directory as a variable but tested the directory path to be sure it was in the user controlled directory. I'd then put both the mkdir and the chown in that script and tell sudo to access the script intead of the command.
Of course you should make sure the script you write only has permissions for root (since sudo will run it as root anyway).
Giving users "chown" is very dangerous (what if they make a file that contains "su -" then do "chown 4755" on the file. That would make the file a script that becomes the root user and allow anyone to execute it. Doing what I wrote above would minimize this.
I once worked at a place where the brain dead admin that worked on it gave users access to things like "sudo chown", "sudo vi" etc... I asked him why he didn't just remove the root password from the system since it would have the same effect.  |
|
|
|
|
02-22-2007, 03:20 PM
|
#3
|
|
Member
Registered: May 2001
Location: Belarus
Distribution: Debian
Posts: 120
Original Poster
Rep:
|
Thanx. I was about to start coding suid binary for this purpose, but looks like script under sudo will enough. I'll test there, if argument it is a directory. However, youe example will not work because suid scripts are imposible in linux AFAIK - at least suid interpreter required. But if user will upload binary backdoor and suid'em - it will be really bad, so - directory only, it seems to be secure, if I'l check path well.
|
|
|
|
|
02-22-2007, 04:20 PM
|
#4
|
|
Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,644
|
Well I wasn't suggesting you actually create an suid script - just using it as an example of a hack if you gave someone chmod.
I wasn't aware suid script wouldn't run in Linux. I just tested it and got "Memory Fault" every time. On UNIX I don't get that.
But as said - best to go with the script.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 03:27 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
