restrict sudo mv access to specific directory

awreneau · 07-15-2019, 04:00 PM

I have an application that runs scheduled jobs as user1 but needs to move files owned by user2. I've successfully allowed user1 to move user2 files w/ the following and my testing thus far proves that user1 cannot copy files to anywhere other than /home/user2/incoming/archive folder. I've tried copying to /tmp/ /home/user2 and so on.

I just need a sanity check to ensure I'm not overlooking something.

Code:

user1 ALL=(ALL) NOPASSWD: /bin/mv /home/user2/incoming/* /home/user2/incoming/archive/

To over simplify I need user1 to have permissions to move user2 files one directory deeper into the file structure.

pan64 · 07-16-2019, 08:13 AM

you need to write a script which will do the job you need and allow execution of that job (probably without args?)

MensaWater · 07-16-2019, 09:09 AM

Quote:

Originally Posted by awreneau

Code:

user1 ALL=(ALL) NOPASSWD: /bin/mv /home/user2/incoming/* /home/user2/incoming/archive/

You might want to test that by putting ../../../ etc... after incoming/ to verify it doesn't allow the user to substitute based on the * meta-character (i.e. verify it is literally requiring the user to type "*").

awreneau · 07-16-2019, 11:34 AM

Thanks for the suggestions! I tried the suggestion of MensaWater in 2 variations and a slight modification to limit to specific file names.

1. the target passed the test

Code:

sudo mv /home/user2/incoming/Asset_07* /home/user2/incoming/archive/../../../
[sudo] password for user1:
Sorry, user user1 is not allowed to execute '/bin/mv /home/user2/incoming/Asset_07* /home/user2/incoming/archive/../../../' as root on servername.

2. the source passed the test, I really didn't suspect this but thought I'd give it a shot.

Code:

sudo mv /home/user2/incoming/../../../archive/Asset_07072019.csv /home/user2/incoming/
[sudo] password for user1:
Sorry, user user1 is not allowed to execute '/bin/mv /home/user2/incoming/../../../archive/Asset_07072019.csv /home/user2/incoming/' as root on server.

I also limited the naming convention to a very specific structure and tested that successfully.

Code:

sudo mv /home/user2/incoming/test.test /home/user2/incoming/archive/
[sudo] password for user1:
Sorry, user user1 is not allowed to execute '/bin/mv /home/user2/incoming/test.test /home/user2/incoming/archive/' as root on server.

So, the sudo rule is a follows:
user1 ALL=(ALL) NOPASSWD: /bin/mv /home/user2/incoming/Asset_* /home/user2/incoming/archive/

@pan64 the script would be ideal, but this is a fluid environment at the moment, however I may leverage a script(s) if it becomes more complex.

Thoughts?