[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sudo and Chown?



On Thu, Jul 12, 2001 at 04:18:52PM -0700, Paul Socolow wrote:
> I would like to give a user the ability to chown files in certain
> directories to other users ownership.
> 
> I have configured sudo to limit the users and files that can be specified
> for this operation, but there is still one loophole that bugs me:
> 
> If the user were to make a hard link to a file I don't want them to touch in
> one of the directories they can run chown in, they could then sudo and
> change the ownership of the file I was trying to protect. 

yup, not trivial to fix either.

> Is there any way to keep chown from modifying files that are linked? Or can
> you prevent the creation of hard links in a directory?

i think the openwall patch has an option to forbid hard linking to
files you don't own.  that would seem the only obvious solution here.

i am not certain that would solve it entirely though, how are you
restricting them to only chown files in a certain directory?  does
that rule allow chown in subdirectories of that directory?  if so
consider:

ln -s / /place/chown/is/allowed/foo
sudo chown /place/chown/is/allowed/foo/etc/passwd

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpXlITo7w9av.pgp
Description: PGP signature


Reply to: