using chown in the sudoers file

Lisa Kachold lisakachold at obnosis.com
Tue Jan 26 16:13:40 MST 2010 

/bin/chown is a suid program, I believe, and you are undoubtably using
a newer version of visudo/sudoers that likes users and groups defined,
like so?

a) You assign users to a group then assign commands to the group in
the bottom part of the file:

User_Alias 	ADMINS = joe, bill, jake
User_Alias   	PARTTIME = jim, jeff, mike
User_Alias	LINUXGROUP = lyte, SirPlaya

Cmnd alias specification

This section is a way of grouping commands together. The syntax is:

Cmnd_Alias COMMANDALIASNAME = command1,command2,etc...

If you'd like to specify arguments, you can use [] and wildcards to
make commands. For instance, one of the below aliases, USERS includes
has /usr/sbin/adduser [A-z]*, which means that they can run
/usr/sbin/adduser and must have an argument of a 1 or more letters.

Cmnd_Alias 	BROWSE = /bin/ls, /bin/cd, /bin/cat
Cmnd_Alias 	KILL = /bin/kill
Cmnd_Alias 	USERS = /usr/sbin/adduser [A-z]*,/usr/sbin/userdel -r [A-z]*

User privilege specification

This is the User privilege section. This is where you give out the
special priveleges to users, or user aliases using the aliases we have
created above.

The syntax is:

USER HOST=COMMANDS Where USER can be either a user name or user alias,
as well as HOST and COMMANDS.

The below line allows root access to everything... this shouldn't be a
problem as root can do whatever he/she wants anyway.

root	ALL=(ALL) ALL

This next line will allow the users specified in the ADMINS alias
(joe, bill, and jake) and give them access to everything as well.

ADMINS ALL=ALL

This next line will show you another interesting feature of sudo. This
allows the users in the PARTTIME alias (jim,jeff,mike) to do all of
the commands listed in USERS,KILL,and BROWSE aliases on all servers.
In addition to that, they may run /usr/bin/passwd followed by a 1
letter word or more(username of password to change) but the last
option says that they CANNOT change root's password. ! is used to
represent the word "NOT"

PARTTIME ALL=USERS,KILL,BROWSE,/usr/bin/passwd [A-z]*, !/usr/bin/passwd root

This next line allows user "djg" access to everything on the hosts
listed in the alias DJNET(djbox1 and djbox2). It IS my network after
all. :)

djg DJNET=ALL

Finally, this last line allows the users listed in the alias
LINUXGROUP (lyte and SirPlaya) access to ALL commands as user "www"
and to all of the commands listed in the aliases KILL,USERS, and
BROWSE on the servers listed in the alias LINUXHELP(lingroup1 and
lingroup2).

 Follow this HowTo:  http://www.linuxhelp.net/guides/sudo/

b) Another easy way to do this is to:

1) Chown the web directories to "webusers" group.

#chown -R g+rwx /var/www/html

Then

2) add that user to the group /etc/group of webusers.

AND

3) Only if you don't have follow symlinks enabled outside of
DocumentRoot (check in your httpd.conf, .htaccess files and virtual
host configuration), enable group execute to the "/bin/chown" command:

# chgrp webusers /bin/chown
# chown g+rx /bin/chown

That way they can all execute that file.

Another fast way is to just add them to the wheel group of /etc/group
and change the line in /etc/sudoers for wheel, but that gives them
everything.

On Tue, Jan 26, 2010 at 3:30 PM, David <david at damnetwork.net> wrote:
> Ok, I'm at the point of frustration with this one.  I need to be able to give a specific user access to change ownership on all files in the web directory.
>
> Ive added this to the /etc/sudoers file:
>
> xxxx1234                        ALL = NOPASSWD: /bin/chown * /var/www/html/invites
>
> Where xxxx1234 is the user I want to give access to.  However, after doing so, I get this:
>
> wwwphx:/var/www/html/invites>sudo chown vendor web.gif
> Sorry, user xxxx1234 is not allowed to execute '/bin/chown vendor web.gif' as root on server.name.com.
>
> I've tried various variations of said sudoer entry, with none working except giving carte blance to the "chown" command, which I'm loathe to do.
>
> What am I doing wrong here?
>
> Thanks,
> David
>
> --
> "I find your lack of faith disturbing."
> --Darth Vader
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
Skype: (623)239-3392
AT&T: (503)754-4452
http://obnosis.110mb.com/nuke/index.php
http://uncyclopedia.wikia.com/wiki/Arizona

More information about the PLUG-discuss mailing list