Another great post from Lisa to store and re-read some day when I understand more of it :) On Tue, Jan 26, 2010 at 4:13 PM, Lisa Kachold wrote: > /bin/chown is a suid program, I believe, and you are undoubtably using > a newer version of visudo/sudoers that likes users and groups defined, > like so? > > a) You assign users to a group then assign commands to the group in > the bottom part of the file: > > User_Alias ADMINS = joe, bill, jake > User_Alias PARTTIME = jim, jeff, mike > User_Alias LINUXGROUP = lyte, SirPlaya > > Cmnd alias specification > > This section is a way of grouping commands together. The syntax is: > > Cmnd_Alias COMMANDALIASNAME = command1,command2,etc... > > If you'd like to specify arguments, you can use [] and wildcards to > make commands. For instance, one of the below aliases, USERS includes > has /usr/sbin/adduser [A-z]*, which means that they can run > /usr/sbin/adduser and must have an argument of a 1 or more letters. > > Cmnd_Alias BROWSE = /bin/ls, /bin/cd, /bin/cat > Cmnd_Alias KILL = /bin/kill > Cmnd_Alias USERS = /usr/sbin/adduser [A-z]*,/usr/sbin/userdel -r > [A-z]* > > User privilege specification > > This is the User privilege section. This is where you give out the > special priveleges to users, or user aliases using the aliases we have > created above. > > The syntax is: > > USER HOST=COMMANDS Where USER can be either a user name or user alias, > as well as HOST and COMMANDS. > > The below line allows root access to everything... this shouldn't be a > problem as root can do whatever he/she wants anyway. > > root ALL=(ALL) ALL > > This next line will allow the users specified in the ADMINS alias > (joe, bill, and jake) and give them access to everything as well. > > ADMINS ALL=ALL > > This next line will show you another interesting feature of sudo. This > allows the users in the PARTTIME alias (jim,jeff,mike) to do all of > the commands listed in USERS,KILL,and BROWSE aliases on all servers. > In addition to that, they may run /usr/bin/passwd followed by a 1 > letter word or more(username of password to change) but the last > option says that they CANNOT change root's password. ! is used to > represent the word "NOT" > > PARTTIME ALL=USERS,KILL,BROWSE,/usr/bin/passwd [A-z]*, !/usr/bin/passwd > root > > This next line allows user "djg" access to everything on the hosts > listed in the alias DJNET(djbox1 and djbox2). It IS my network after > all. :) > > djg DJNET=ALL > > Finally, this last line allows the users listed in the alias > LINUXGROUP (lyte and SirPlaya) access to ALL commands as user "www" > and to all of the commands listed in the aliases KILL,USERS, and > BROWSE on the servers listed in the alias LINUXHELP(lingroup1 and > lingroup2). > > Follow this HowTo: http://www.linuxhelp.net/guides/sudo/ > > b) Another easy way to do this is to: > > 1) Chown the web directories to "webusers" group. > > #chown -R g+rwx /var/www/html > > Then > > 2) add that user to the group /etc/group of webusers. > > AND > > 3) Only if you don't have follow symlinks enabled outside of > DocumentRoot (check in your httpd.conf, .htaccess files and virtual > host configuration), enable group execute to the "/bin/chown" command: > > # chgrp webusers /bin/chown > # chown g+rx /bin/chown > > That way they can all execute that file. > > Another fast way is to just add them to the wheel group of /etc/group > and change the line in /etc/sudoers for wheel, but that gives them > everything. > > On Tue, Jan 26, 2010 at 3:30 PM, David wrote: > > Ok, I'm at the point of frustration with this one. I need to be able to > give a specific user access to change ownership on all files in the web > directory. > > > > Ive added this to the /etc/sudoers file: > > > > xxxx1234 ALL = NOPASSWD: /bin/chown * > /var/www/html/invites > > > > Where xxxx1234 is the user I want to give access to. However, after > doing so, I get this: > > > > wwwphx:/var/www/html/invites>sudo chown vendor web.gif > > Sorry, user xxxx1234 is not allowed to execute '/bin/chown vendor > web.gif' as root on server.name.com. > > > > I've tried various variations of said sudoer entry, with none working > except giving carte blance to the "chown" command, which I'm loathe to do. > > > > What am I doing wrong here? > > > > Thanks, > > David > > > > -- > > "I find your lack of faith disturbing." > > --Darth Vader > > --------------------------------------------------- > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > To subscribe, unsubscribe, or to change your mail settings: > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > > -- > Skype: (623)239-3392 > AT&T: (503)754-4452 > http://obnosis.110mb.com/nuke/index.php > http://uncyclopedia.wikia.com/wiki/Arizona > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- Dazed_75 a.k.a. Larry The spirit of resistance to government is so valuable on certain occasions, that I wish it always to be kept alive. - Thomas Jefferson