Allow chown command to www-data user
Are you sure that www-data
needs to do chown
? Please explain why. There is no way to get /bin/chown
to restrict UIDs. You will have to write a wrapper around /bin/chown
that does the input validation, then calls the real /bin/chown
, then allow www-data
access only to the wrapper.
Related videos on Youtube
Kshitiz
I'm a self-motivated tech entrepreneur based out of Singapore with over 10 years of experience in the building software products. I am passionate about solving real-world problems, with a knack for programming. My experience has been somewhat unique compared to most of my peers. Over the past 10 years of my career, I have started up three different tech companies and got an amazing opportunity to build and launch multiple products from the ground up at various points of my life. Being a founder and tech lead for most of my endeavors, I excel at picking up new stacks/technologies and executing to serve unmet customer needs. My focus area for the post-covid universe has been to set up and lead our fully remote team to ship incremental improvements and features on top of our Vue.js and Node.js based SaaS application.
Updated on September 18, 2022Comments
-
Kshitiz over 1 year
Is there a way to allow chown command to be run by www-data but limiting it in a way that the files owner can be changed only to uids greator than that of www-data user?
I already researched a lot and only way to allow chown to be run by any other user than root requires to give sudo privileges to that user but that is not an option for me until I can make sure that the owner is not set to any user with smaller uid than www-data.
To give the context, I am creating an app where I am trying to simulate hosting by creating a new linux user for each signed up user. The user can then upload files but I need to change the owner of these files to the corresponding linux user.
-
TuKsn over 9 yearsWhat about this askubuntu.com/questions/159007/… ?
-
Kshitiz over 9 yearsYeah as I mentioned, I already know how to allow www-data to use chown command.. my question was how to prevent www-data user with sudo privileges from setting the owner of a file to a user with lesser uid (for eg. what happens if my server is compromised and www-data tries to set the owner of a file as root).. thats where the can of worm opens!!
-
-
Kshitiz over 9 yearsI did something similar to that and created a wrapper that handles the chown request using an upstart daemon... so prevented that crazy hack of allowing chown to be run by www-data.. It was a design flaw.