LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   chown delegation to user in some directory (https://www.linuxquestions.org/questions/linux-security-4/chown-delegation-to-user-in-some-directory-531326/)

Bogdan 02-22-2007 07:08 AM
chown delegation to user in some directory
 
Hi all. I have web software that need to create dirs in ftp root and change their owners.
webapp runs as: user1
ftp root owner: user2
and some virtual users (representedd as UIDs)
I create dirs with sudo: user1 ALL=(user2) NOPASSWD: /bin/mkdir
And call it as: sudo mkdir /home/user2/virtualuserdir1 - and it works.
But I need some way to do "chown 1222.1222 /home/user2/virtualuserdir1"
This way, I need to execute chown as root and only in /home/user2/
I need advice how to do this...

MensaWater 02-22-2007 10:09 AM
If it were me I'd put in a script that used the directory as a variable but tested the directory path to be sure it was in the user controlled directory. I'd then put both the mkdir and the chown in that script and tell sudo to access the script intead of the command.
Of course you should make sure the script you write only has permissions for root (since sudo will run it as root anyway).

Giving users "chown" is very dangerous (what if they make a file that contains "su -" then do "chown 4755" on the file. That would make the file a script that becomes the root user and allow anyone to execute it. Doing what I wrote above would minimize this.

I once worked at a place where the brain dead admin that worked on it gave users access to things like "sudo chown", "sudo vi" etc... I asked him why he didn't just remove the root password from the system since it would have the same effect. :rolleyes:

Bogdan 02-22-2007 03:20 PM
Thanx. I was about to start coding suid binary for this purpose, but looks like script under sudo will enough. I'll test there, if argument it is a directory. However, youe example will not work because suid scripts are imposible in linux AFAIK - at least suid interpreter required. But if user will upload binary backdoor and suid'em - it will be really bad, so - directory only, it seems to be secure, if I'l check path well.

MensaWater 02-22-2007 04:20 PM
Well I wasn't suggesting you actually create an suid script - just using it as an example of a hack if you gave someone chmod.

I wasn't aware suid script wouldn't run in Linux. I just tested it and got "Memory Fault" every time. On UNIX I don't get that.

But as said - best to go with the script.


All times are GMT -5. The time now is 09:28 AM.