AIX

 View Only

  • 1.  regarding sudo user permission

    Posted 21 days ago

    I am writing to bring to your attention an issue regarding the configuration of sudo permissions for the users in the fnsrr group. Currently, the users in the fnsrr group have been granted sudo access to perform the chown command on files and directories. However, they are able to use the chown command on files and directories that belong to other groups, including root-owned files, which should not be allowed.

    The requirement is as follows:

    Grant chown permissions: The users in the fnsrr group should be allowed to execute the chown command only on files or directories that belong to the fnsrr group.
    Restrict access: They should not be allowed to change the ownership of files and directories that belong to other groups or to root.
    I have attempted to configure the sudoers file to meet these needs, but the current setup still allows broader permissions than intended. I would appreciate assistance in configuring the sudoers file correctly to:

    Allow users in the fnsrr group to perform chown only on files related to the fnsrr group.
    Ensure that they are restricted from modifying files owned by other groups or root.
    Please let me know the steps or assistance you can provide to resolve this issue effectively.

    Thank you for your attention to this matter.



    ------------------------------
    Vivek M
    ------------------------------


  • 2.  RE: regarding sudo user permission

    Posted 20 days ago

    Hi

    I think you need to write a script that does the chown for you and then only allow this script to be executed for the fnsrr group.

    The script could be called /usr/local/bin/safe_chown.sh for instance with the following contents:

    #!/bin/bash

    # Check if the correct number of arguments is provided

    if [[ $# -ne 2 ]]; then

    echo "Usage: $0 <new_owner>:<new_group> <file>"

    exit 1

    fi

    NEW_OWNER_GROUP=$1 TARGET_FILE=$2 # Extract the group of the target file

    FILE_GROUP=$(stat -c "%G" "$TARGET_FILE")

    # Ensure the target file belongs to 'fnsrr' group

    if [[ "$FILE_GROUP" != "fnsrr" ]]; then

    echo "Error: You can only modify ownership of files in the fnsrr group."

    exit 1

    fi

    # Execute chown if the file is in the fnsrr group

    /usr/bin/chown "$NEW_OWNER_GROUP" "$TARGET_FILE"

    ---

    Save the script and set permissions and ownership as root.

    sudo chmod 755 /usr/local/bin/safe_chown.sh

    sudo chown root:root /usr/local/bin/safe_chown.sh

    Then visudo and add:

    %fnsrr ALL=(ALL) NOPASSWD: /usr/local/bin/safe_chown.sh

    %fnsrr ALL=(ALL) !/bin/chown, !/usr/bin/chown #prevents users from running chown except via the safe_chown.sh script.

    In that way you dont use normal chown but only via the script will it work.

    Hope that helps or gives direction.



    ------------------------------
    Lance Martincich
    ERP Systems Engineer
    City of Cape Town
    Cape Town
    +27832856514
    ------------------------------

    Original Message