topic Re: sudo entry in Operating System - HP-UX

sudo entry

Michael Murphy_2 — Thu, 23 Mar 2006 10:33:53 GMT

Does anyone know if this is possible:

Putting in an entry in sudoers file that allow a given user to do chown/chgrp AS ROOT - but restrict other root commands?

Thanks....Mike

Re: sudo entry

James A. Donovan — Thu, 23 Mar 2006 10:50:24 GMT

just add a line to the end of the sudoers file like this...

myuser ALL = /usr/bin/chown *, /usr/bin/chgrp *

Re: sudo entry

Doug O'Leary — Thu, 23 Mar 2006 10:51:08 GMT

Yes, it's certainly possible although, that particular command should be granted with care.

${user} ALL=(ALL) /bin/chown, /bin/chgrp

in the sudoers will do exactly what you're looking for. Realize that gives the user the ability to chown *any* file on the system. If you give them chmod as well, you've just given them the system:

cp /bin/ksh /tmp/.my_root_hack
sudo /bin/chown root:sys /tmmp/.my_root_hack
sudo /bin/chmod 4755 /tmp/.my_root_hack

will give the user a root owned suid ksh.

sudo is a great command; however, you need to be careful with it...

Doug

Re: sudo entry

Doug O'Leary — Thu, 23 Mar 2006 10:52:39 GMT

quick addendum; those commands are in /usr/bin; didn't realize I was on a linux box when I looked for their location...

Sorry for the confusion.

Doug

Re: sudo entry

Anthony khan — Thu, 23 Mar 2006 10:54:12 GMT

You can put following in sudoers file

user ALL=/usr/bin/chown,/usr/bin/chgrp

Re: sudo entry

A. Clay Stephenson — Thu, 23 Mar 2006 11:07:55 GMT

Yes, it is possible.

sudoer's excerpt

User_Alias SPECIAL = tom,dick,harry

Runas_Alias RT = root

Cmnd_Alias CHOWN = /usr/bin/chown
Cmnd_Alias CHGRP = /usr/bin/chgrp

SPECIAL ALL = (RT) CHOWN, CHGRP

This would allow users tom, dick, and harry to run chown and chgrp as root.

Note that there is a danger to this because you have also allowed these users to create setuid root programs w/o explicitly granting that ability -- so be careful what you ask for.