Limit sudo to only one directory and it's subdirectories by sudoers file

linux apache-2.2 chmod sudo chown
13,755

Solution 1

It's probably better to make the chmod command a shell script to be only run by root and then allow that command to be run in sudo.

Solution 2

Ok, So apparently this does not use full regular expressions which I was expecting, a regular star did the trick:

apache ALL= (ALL) NOPASSWD: /bin/chmod -R [go]+ws /var/www/sites/*

This is very dangerous. It will open vulnerability in your server . What happen if a user manage to run chmod -R g+w /var/www/sites/../../../../etc/shadow?

Share:
13,755
SeanDowney
Author by

SeanDowney

Updated on September 18, 2022

Comments

  • SeanDowney
    SeanDowney almost 2 years

    So I would like to limit Apache to only change permissions in a certain folder and all of it's sub-directories, so this is what I have in my sudoers file

    apache ALL= (ALL) NOPASSWD: /bin/chmod -R [g+ws] /var/www/sites/[a-z]+

    But that does not appear to work. I sure I could get it to work by removing the restriction on the subfolder, but that seems dangerous as it would give a potential hacker unlimited access.

    So is there a way to limit apache to only change files and folders within the "sites" folder or am I stuck giving unlimited access with chmod / chown?

    Are there any big security holes using this approach?

    • Admin
      Admin about 13 years
      You might be asking the wrong question -- WHY do you want to do what you're asking -- what problem are you trying to solve? There's almost always a better way than letting Apache (a server that the whole world interacts with) do anything as root. (See also Michael Lowman's comment below.)
    • Admin
      Admin about 13 years
      Apache should already own it's directories. Why do you need to give it sudo permissions?
    • Admin
      Admin about 13 years
      I just looked at what you are trying to do, again. I think you could accomplish what you want by setting the umask in Apache's init script. This would be infinitely better than giving Apache sudo.
    • Admin
      Admin about 13 years
      I'm trying to make a control panel for SVN. When a user does "svn up" is sets incorrect permissions and owner / group. Users also upload files into the folder and the sticky bit gets lost. So things become a mess so I want a "reset permissions" button that users can use via a web interface to make things all better.
  • Michael Lowman
    Michael Lowman about 13 years
    You might also want to look into ensuring that the files are set correctly upon creation; check the umask if you're unfamiliar with it.
  • SeanDowney
    SeanDowney about 13 years
    Seems like a much safer way to approach this

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What permissions one needs to run chmod, chown command on a folder/item?
chown -R exclude some directory
Change default permissions for new files and folders
Creating files and directories with a certain owner (user/group) while sudoing
Allow specific user permission to read/write my folder
How to chmod and chown hidden files in Linux?
How to chown/chmod all files in current directory?
what chmod and owner:group settings are best for a web application?
is it safe to chmod 775/664 with owner www-data:www-data?
Allow Apache to run a command as a different user