LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-15-2019, 04:00 PM   #1
awreneau
Member
 
Registered: Aug 2003
Location: GA
Distribution: Ubuntu
Posts: 37

Rep: Reputation: 15
restrict sudo mv access to specific directory


I have an application that runs scheduled jobs as user1 but needs to move files owned by user2. I've successfully allowed user1 to move user2 files w/ the following and my testing thus far proves that user1 cannot copy files to anywhere other than /home/user2/incoming/archive folder. I've tried copying to /tmp/ /home/user2 and so on.

I just need a sanity check to ensure I'm not overlooking something.


Code:
user1 ALL=(ALL) NOPASSWD: /bin/mv /home/user2/incoming/* /home/user2/incoming/archive/
To over simplify I need user1 to have permissions to move user2 files one directory deeper into the file structure.
 
Old 07-16-2019, 08:13 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 13,103

Rep: Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145
you need to write a script which will do the job you need and allow execution of that job (probably without args?)
 
Old 07-16-2019, 09:09 AM   #3
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,814
Blog Entries: 15

Rep: Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661Reputation: 1661
Quote:
Originally Posted by awreneau View Post
Code:
user1 ALL=(ALL) NOPASSWD: /bin/mv /home/user2/incoming/* /home/user2/incoming/archive/
You might want to test that by putting ../../../ etc... after incoming/ to verify it doesn't allow the user to substitute based on the * meta-character (i.e. verify it is literally requiring the user to type "*").
 
Old 07-16-2019, 11:34 AM   #4
awreneau
Member
 
Registered: Aug 2003
Location: GA
Distribution: Ubuntu
Posts: 37

Original Poster
Rep: Reputation: 15
Thanks for the suggestions! I tried the suggestion of MensaWater in 2 variations and a slight modification to limit to specific file names.

1. the target passed the test

Code:
sudo mv /home/user2/incoming/Asset_07* /home/user2/incoming/archive/../../../
[sudo] password for user1:
Sorry, user user1 is not allowed to execute '/bin/mv /home/user2/incoming/Asset_07* /home/user2/incoming/archive/../../../' as root on servername.
2. the source passed the test, I really didn't suspect this but thought I'd give it a shot.

Code:
sudo mv /home/user2/incoming/../../../archive/Asset_07072019.csv /home/user2/incoming/
[sudo] password for user1:
Sorry, user user1 is not allowed to execute '/bin/mv /home/user2/incoming/../../../archive/Asset_07072019.csv /home/user2/incoming/' as root on server.
I also limited the naming convention to a very specific structure and tested that successfully.

Code:
sudo mv /home/user2/incoming/test.test /home/user2/incoming/archive/
[sudo] password for user1:
Sorry, user user1 is not allowed to execute '/bin/mv /home/user2/incoming/test.test /home/user2/incoming/archive/' as root on server.

So, the sudo rule is a follows:
user1 ALL=(ALL) NOPASSWD: /bin/mv /home/user2/incoming/Asset_* /home/user2/incoming/archive/



@pan64 the script would be ideal, but this is a fluid environment at the moment, however I may leverage a script(s) if it becomes more complex.

Thoughts?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Permission to restrict specific folder for sudo user gawandi Linux - Security 1 11-29-2017 08:01 PM
how to restrict SSH - WinSCP access for Users only to a specific directory??? cyberdome Linux - Security 1 08-21-2014 12:24 AM
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 01:36 AM
[SOLVED] Using sudo to give read access to specific directory savona Linux - Security 14 01-31-2012 10:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration