HPE Community
Operating System - HP-UX
1835245 Members
2288 Online
110078 Solutions
New Discussion

sudo entry

 
Michael Murphy_2
Frequent Advisor

‎03-23-2006 02:33 AM

‎03-23-2006 02:33 AM

sudo entry

Does anyone know if this is possible:

Putting in an entry in sudoers file that allow a given user to do chown/chgrp AS ROOT - but restrict other root commands?

Thanks....Mike
0 Kudos
Reply
5 REPLIES 5
James A. Donovan
Honored Contributor

‎03-23-2006 02:50 AM

‎03-23-2006 02:50 AM

Re: sudo entry

just add a line to the end of the sudoers file like this...


myuser ALL = /usr/bin/chown *, /usr/bin/chgrp *
Remember, wherever you go, there you are...
0 Kudos
Reply
Doug O'Leary
Honored Contributor

‎03-23-2006 02:51 AM

‎03-23-2006 02:51 AM

Re: sudo entry

Yes, it's certainly possible although, that particular command should be granted with care.

${user} ALL=(ALL) /bin/chown, /bin/chgrp

in the sudoers will do exactly what you're looking for. Realize that gives the user the ability to chown *any* file on the system. If you give them chmod as well, you've just given them the system:

cp /bin/ksh /tmp/.my_root_hack
sudo /bin/chown root:sys /tmmp/.my_root_hack
sudo /bin/chmod 4755 /tmp/.my_root_hack

will give the user a root owned suid ksh.

sudo is a great command; however, you need to be careful with it...

Doug

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
0 Kudos
Reply
Doug O'Leary
Honored Contributor

‎03-23-2006 02:52 AM

‎03-23-2006 02:52 AM

Re: sudo entry

quick addendum; those commands are in /usr/bin; didn't realize I was on a linux box when I looked for their location...

Sorry for the confusion.

Doug

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
0 Kudos
Reply
Anthony khan
Frequent Advisor

‎03-23-2006 02:54 AM

‎03-23-2006 02:54 AM

Re: sudo entry

You can put following in sudoers file

user ALL=/usr/bin/chown,/usr/bin/chgrp

0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎03-23-2006 03:07 AM

‎03-23-2006 03:07 AM

Re: sudo entry

Yes, it is possible.

sudoer's excerpt

User_Alias SPECIAL = tom,dick,harry

Runas_Alias RT = root

Cmnd_Alias CHOWN = /usr/bin/chown
Cmnd_Alias CHGRP = /usr/bin/chgrp


SPECIAL ALL = (RT) CHOWN, CHGRP


This would allow users tom, dick, and harry to run chown and chgrp as root.

Note that there is a danger to this because you have also allowed these users to create setuid root programs w/o explicitly granting that ability -- so be careful what you ask for.
If it ain't broke, I can fix that.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.