[ale] Allow non-root user to chown file to other user?
Brian Pitts
brian at polibyte.com
Thu Nov 15 14:14:37 EST 2007
Thomas Stromberg wrote:
> If you really wanted to implement this, you could do so with the
> following script. While I know you are not a fan of the sudo approach,
> combined with this script, it would be invisible to your users, and
> add a syslog entry each time this extended-functionality is used. This
> way you can audit any ownership changes you might have.
>
> -- 8< ---------------------
> #!/bin/sh
> # This assumes you have configured the "admin" group in sudoers for
> # password-less chown.
> #
> # It's recommended you place this somewhere in path such as /usr/local/bin
> # rathern than overwriting /usr/sbin/chown, but both will work.
>
> CHOWN_GROUP="admin"
> REAL_CHOWN="/usr/sbin/chown"
> chown_cmd=$REAL_CHOWN
>
> for group in `groups`
> do
> if [ $group = $CHOWN_GROUP ]; then
> chown_cmd="sudo $REAL_CHOWN"
> fi
> done
>
> $chown_cmd $*
> -- 8< ---------------------
>
Until they chown syslog and remove those entries. There's a thread about
this issue here.
http://lists.debian.org/debian-security/2001/07/msg00160.html
THe best advice I see is "VERY CAREFULLY construct a wrapper that
validates input (i.e. requires absolute paths under a given directory
(i.e. /home) w/o symlinks, matches argument against a list of valid
files, etc.) and then executes the chown itself, and give the user sudo
permission to run the wrapper."
-Brian
More information about the Ale
mailing list