Is there any way to limit the directories a specific user can execute commands upon after they have been added to the sudoers file?

For example, I have the following in my sudoers file:

user1 ALL=(root) /bin/chown,/bin/chmod,/bin/chgrp

I only want 'user1' to be able to change permissions on files in /mnt/apps1/ and its subdirectories.

I tried the following without any luck.

user1 ALL=(root) /bin/chown,/bin/chmod,/bin/chgrp /mnt/apps1/*

Hi lcwilson,

Welcome to LQ!!!

When you add a user to sudoers and provide the user access to certain commands then it means that it will run those commands with assigned privilege. So basically if you configure say user1 to run a command with root privilege in /etc/sudoers then that user is authorized to run those command on any directory / service (if configured).

As you said that you want user1 to be able to change permissions on files in /mnt/apps1 and its subdirectories I would say an easier way would be to make user1 owner of that directory. Adding that user in /etc/sudoers will give him unecessary privileges.

You can run the following command to make user1 owner of /mnt/apps1 and its subdirectories:

In this way he will be able to change permission of that directory and its subdirectories.

Not that I know of. But you can write a wrapper script (e.g. /usr/local/bin/foochmod), and make the user a sudoer for the wrapper. If your wrapper script accepts input data, validate it carefully.

T3RM1NVT0R's answer is probably the right approach, though.