sudoers - how to give access to certain directories?

trey85stang · 05-20-2009, 04:55 PM

Without changing permissions on a directory tree.. is there anyway to give sudo access to a specific directory so that admin staff could move/copy/edit files in those directories? I have an app that requires specific permissions to work correctly it's either sudo access or root access. Id prefer to stay from giving full sudo access to everyone who needs to modify files in this application directory.

Is this possible or not?

Also is there a way to give ALL permissions minus a specific command (su in particular)??

Thanks,
Trey

archShade · 05-20-2009, 05:52 PM

You can take a command out of a sudo account by using the ! (not operator) for example to let bill use all commands except su, shutdown, halt and poweroff the line would look like (in /etc/sudoers)

Code:

bill        ALL = (ALL) ALL !su !shutdown !halt !poweroff

this does not seem like a good idea as there may be ways around the exact command. such as using a shell escape from another program.

You can give access to directorys just like you can command. for example if you wanted bill,mike,pete and members of the project group to be able to access /path/to/project/*. you'd use

Code:

User_Alias     THISGROUP = bill, mike, pete

THISGROUP, %project ALL= /path/to/project/*

the user alias statement should be near the top all other statements should be with the main body of statements in sudoers file

blackhole54 · 05-20-2009, 07:00 PM

Quote:

Originally Posted by archShade

You can take a command out of a sudo account by using the

Code:

User_Alias     THISGROUP = bill, mike, pete

THISGROUP, %project ALL= /path/to/project/*

Using wildcards in path names can be very tricky in sudo. Using the above example, I believe /path/to/project/../../../any/path/I/want/ would match.

Also, if I understand the man page correctly, the above command would allow commands to be run in the indicated directories but not allow files to be modified, which is what I understood the OP wanted. You might look at the sudoedit option for that (if the files to be modified are text files).

There is a SECURITY NOTES section of the sudoers man page the you may wish to look at.

trey85stang · 05-21-2009, 09:24 AM

Big thanks to both of you guys, I completely forgot about sudoedit. Luckily the admins that will have root access I trust not to use loopholes so thats not a big concern. The biggest concern for me is the directory access. Ill read up on sudoedit.

Thanks for the information, I really appreciate it

custangro · 05-23-2009, 02:30 PM

Quote:

Originally Posted by archShade

You can take a command out of a sudo account by using the ! (not operator) for example to let bill use all commands except su, shutdown, halt and poweroff the line would look like (in /etc/sudoers)

Code:

bill        ALL = (ALL) ALL !su !shutdown !halt !poweroff

this does not seem like a good idea as there may be ways around the exact command. such as using a shell escape from another program.

You can give access to directorys just like you can command. for example if you wanted bill,mike,pete and members of the project group to be able to access /path/to/project/*. you'd use

Code:

User_Alias     THISGROUP = bill, mike, pete

THISGROUP, %project ALL= /path/to/project/*

the user alias statement should be near the top all other statements should be with the main body of statements in sudoers file

FYI...in RHEL 5...

This doesn't work

Code:

bill        ALL = (ALL) ALL !su !shutdown !halt !poweroff

But this does work...

Code:

bill        ALL = (ALL) ALL,!su,!shutdown,!halt,!poweroff

-C