Re: using chown in the sudoers file

Attachments:
Message as email (text/plain) (text/html) (text/plain)

Author: Dazed_75
Date:
To: Main PLUG discussion list
Subject: Re: using chown in the sudoers file

Another great post from Lisa to store and re-read some day when I understand
more of it :)

On Tue, Jan 26, 2010 at 4:13 PM, Lisa Kachold <lisakachold@obnosis.com>wrote:

> /bin/chown is a suid program, I believe, and you are undoubtably using
> a newer version of visudo/sudoers that likes users and groups defined,
> like so?
>
> a) You assign users to a group then assign commands to the group in
> the bottom part of the file:
>
> User_Alias ADMINS = joe, bill, jake > User_Alias PARTTIME = jim, jeff, mike > User_Alias LINUXGROUP = lyte, SirPlaya

>
> Cmnd alias specification
>
> This section is a way of grouping commands together. The syntax is:
>
> Cmnd_Alias COMMANDALIASNAME = command1,command2,etc...
>
> If you'd like to specify arguments, you can use [] and wildcards to
> make commands. For instance, one of the below aliases, USERS includes
> has /usr/sbin/adduser [A-z]*, which means that they can run
> /usr/sbin/adduser and must have an argument of a 1 or more letters.
>
> Cmnd_Alias BROWSE = /bin/ls, /bin/cd, /bin/cat > Cmnd_Alias KILL = /bin/kill > Cmnd_Alias USERS = /usr/sbin/adduser [A-z]*,/usr/sbin/userdel -r > [A-z]*

>
> User privilege specification
>
> This is the User privilege section. This is where you give out the
> special priveleges to users, or user aliases using the aliases we have
> created above.
>
> The syntax is:
>
> USER HOST=COMMANDS Where USER can be either a user name or user alias,
> as well as HOST and COMMANDS.
>
> The below line allows root access to everything... this shouldn't be a
> problem as root can do whatever he/she wants anyway.
>
> root ALL=(ALL) ALL

>
> This next line will allow the users specified in the ADMINS alias
> (joe, bill, and jake) and give them access to everything as well.
>
> ADMINS ALL=ALL
>
> This next line will show you another interesting feature of sudo. This
> allows the users in the PARTTIME alias (jim,jeff,mike) to do all of
> the commands listed in USERS,KILL,and BROWSE aliases on all servers.
> In addition to that, they may run /usr/bin/passwd followed by a 1
> letter word or more(username of password to change) but the last
> option says that they CANNOT change root's password. ! is used to
> represent the word "NOT"
>
> PARTTIME ALL=USERS,KILL,BROWSE,/usr/bin/passwd [A-z]*, !/usr/bin/passwd
> root
>
> This next line allows user "djg" access to everything on the hosts
> listed in the alias DJNET(djbox1 and djbox2). It IS my network after
> all. :)
>
> djg DJNET=ALL
>
> Finally, this last line allows the users listed in the alias
> LINUXGROUP (lyte and SirPlaya) access to ALL commands as user "www"
> and to all of the commands listed in the aliases KILL,USERS, and
> BROWSE on the servers listed in the alias LINUXHELP(lingroup1 and
> lingroup2).
>
> Follow this HowTo: http://www.linuxhelp.net/guides/sudo/
>
> b) Another easy way to do this is to:
>
> 1) Chown the web directories to "webusers" group.
>
> #chown -R g+rwx /var/www/html
>
> Then
>
> 2) add that user to the group /etc/group of webusers.
>
> AND
>
> 3) Only if you don't have follow symlinks enabled outside of
> DocumentRoot (check in your httpd.conf, .htaccess files and virtual
> host configuration), enable group execute to the "/bin/chown" command:
>
> # chgrp webusers /bin/chown
> # chown g+rx /bin/chown
>
> That way they can all execute that file.
>
> Another fast way is to just add them to the wheel group of /etc/group
> and change the line in /etc/sudoers for wheel, but that gives them
> everything.
>
> On Tue, Jan 26, 2010 at 3:30 PM, David <david@damnetwork.net> wrote:
> > Ok, I'm at the point of frustration with this one. I need to be able to
> give a specific user access to change ownership on all files in the web
> directory.
> >
> > Ive added this to the /etc/sudoers file:
> >
> > xxxx1234 ALL = NOPASSWD: /bin/chown * > /var/www/html/invites

> >
> > Where xxxx1234 is the user I want to give access to. However, after
> doing so, I get this:
> >
> > wwwphx:/var/www/html/invites>sudo chown vendor web.gif
> > Sorry, user xxxx1234 is not allowed to execute '/bin/chown vendor
> web.gif' as root on server.name.com.
> >
> > I've tried various variations of said sudoer entry, with none working
> except giving carte blance to the "chown" command, which I'm loathe to do.
> >
> > What am I doing wrong here?
> >
> > Thanks,
> > David
> >
> > --
> > "I find your lack of faith disturbing."
> > --Darth Vader
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
>
>
>
> --
> Skype: (623)239-3392
> AT&T: (503)754-4452
> http://obnosis.110mb.com/nuke/index.php
> http://uncyclopedia.wikia.com/wiki/Arizona
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

--
Dazed_75 a.k.a. Larry

The spirit of resistance to government is so valuable on certain occasions,
that I wish it always to be kept alive.
- Thomas Jefferson
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message is part of the following thread:
	the complete thread tree sorted by date
	Lisa Kachold at