Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-22-2007, 07:08 AM
|
#1
|
Member
Registered: May 2001
Location: Belarus
Distribution: Debian
Posts: 120
Rep:
|
chown delegation to user in some directory
Hi all. I have web software that need to create dirs in ftp root and change their owners.
webapp runs as: user1
ftp root owner: user2
and some virtual users (representedd as UIDs)
I create dirs with sudo: user1 ALL=(user2) NOPASSWD: /bin/mkdir
And call it as: sudo mkdir /home/user2/virtualuserdir1 - and it works.
But I need some way to do "chown 1222.1222 /home/user2/virtualuserdir1"
This way, I need to execute chown as root and only in /home/user2/
I need advice how to do this...
|
|
|
02-22-2007, 10:09 AM
|
#2
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
If it were me I'd put in a script that used the directory as a variable but tested the directory path to be sure it was in the user controlled directory. I'd then put both the mkdir and the chown in that script and tell sudo to access the script intead of the command.
Of course you should make sure the script you write only has permissions for root (since sudo will run it as root anyway).
Giving users "chown" is very dangerous (what if they make a file that contains "su -" then do "chown 4755" on the file. That would make the file a script that becomes the root user and allow anyone to execute it. Doing what I wrote above would minimize this.
I once worked at a place where the brain dead admin that worked on it gave users access to things like "sudo chown", "sudo vi" etc... I asked him why he didn't just remove the root password from the system since it would have the same effect.
|
|
|
02-22-2007, 03:20 PM
|
#3
|
Member
Registered: May 2001
Location: Belarus
Distribution: Debian
Posts: 120
Original Poster
Rep:
|
Thanx. I was about to start coding suid binary for this purpose, but looks like script under sudo will enough. I'll test there, if argument it is a directory. However, youe example will not work because suid scripts are imposible in linux AFAIK - at least suid interpreter required. But if user will upload binary backdoor and suid'em - it will be really bad, so - directory only, it seems to be secure, if I'l check path well.
|
|
|
02-22-2007, 04:20 PM
|
#4
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
Well I wasn't suggesting you actually create an suid script - just using it as an example of a hack if you gave someone chmod.
I wasn't aware suid script wouldn't run in Linux. I just tested it and got "Memory Fault" every time. On UNIX I don't get that.
But as said - best to go with the script.
|
|
|
All times are GMT -5. The time now is 06:24 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|