Allow chown command to www-data user

permissions apache2 sudo users
7,602

Are you sure that www-data needs to do chown? Please explain why. There is no way to get /bin/chown to restrict UIDs. You will have to write a wrapper around /bin/chown that does the input validation, then calls the real /bin/chown, then allow www-data access only to the wrapper.

Share:
7,602

Related videos on Youtube

Kshitiz
Author by

Kshitiz

I'm a self-motivated tech entrepreneur based out of Singapore with over 10 years of experience in the building software products. I am passionate about solving real-world problems, with a knack for programming. My experience has been somewhat unique compared to most of my peers. Over the past 10 years of my career, I have started up three different tech companies and got an amazing opportunity to build and launch multiple products from the ground up at various points of my life. Being a founder and tech lead for most of my endeavors, I excel at picking up new stacks/technologies and executing to serve unmet customer needs. My focus area for the post-covid universe has been to set up and lead our fully remote team to ship incremental improvements and features on top of our Vue.js and Node.js based SaaS application.

Updated on September 18, 2022

Comments

  • Kshitiz
    Kshitiz over 1 year

    Is there a way to allow chown command to be run by www-data but limiting it in a way that the files owner can be changed only to uids greator than that of www-data user?

    I already researched a lot and only way to allow chown to be run by any other user than root requires to give sudo privileges to that user but that is not an option for me until I can make sure that the owner is not set to any user with smaller uid than www-data.

    To give the context, I am creating an app where I am trying to simulate hosting by creating a new linux user for each signed up user. The user can then upload files but I need to change the owner of these files to the corresponding linux user.

    • TuKsn
      TuKsn over 9 years
    • Kshitiz
      Kshitiz over 9 years
      Yeah as I mentioned, I already know how to allow www-data to use chown command.. my question was how to prevent www-data user with sudo privileges from setting the owner of a file to a user with lesser uid (for eg. what happens if my server is compromised and www-data tries to set the owner of a file as root).. thats where the can of worm opens!!
  • Kshitiz
    Kshitiz over 9 years
    I did something similar to that and created a wrapper that handles the chown request using an upstart daemon... so prevented that crazy hack of allowing chown to be run by www-data.. It was a design flaw.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Sudo is not asking for password on Ubuntu 16.04
How to add my user account to admin group (13.10 desktop)
How can user mount an encrypted file container in VeraCrypt?
How to add flags and/or arguments to a command in the 'sudoers' file
How to give a specific user access only to a specific folder and its contents?
What is "root" and how can I become it?
How do I allow a user to only run the apt-get update command with sudo?
adding local content in /etc/sudoers.d/ instead of directly modifying sodoers file via visudo
sudo access vs wheel group
Difference between sudo user and root user