How to create a very small sudoers file ?
Posted: Mon Feb 09, 2004 2:29 am
Hi everyone,
Well, here's the catch...
We are building a Samba management system for work (iwe have to complete a certain project in 6 weeks time for school, but in a company environment).
We need to run several commands that are only accessible and runnable by root.
At this moment we use the sudoers file with this setup:
root ALL=(ALL) ALL
www-data ALL = NOPASSWD: /bin/cat, /bin/grep, /bin/chown, /bin/chgrp,\
/usr/sbin/useradd, /bin/chmod, /usr/bin/smbpasswd, \
/bin/mkdir, /usr/sbin/userdel, /usr/sbin/usermod, \
/bin/rm, /usr/bin/find, /usr/sbin/groupadd, /usr/sbin/groupmod, \
/usr/sbin/groupdel, /etc/init.d/samba reload, /bin/mv, /bin/ls, /usr/bin/du
According to our bosses, that's way too much. And indeed, it could pose a major security leak.
Our intnetion is, to write a script which handles all of these commands with their appropriate options used in our scripts. And they only want one command for www-data to run as root.
So all these commands must come in one script run by sudoers.
We wonder how we can write such a script...can we write it in PHP or does it have to be a shell script?
And what needs to be in the script?
We have no idea how to do this, and close this security leak.
Well, here's the catch...
We are building a Samba management system for work (iwe have to complete a certain project in 6 weeks time for school, but in a company environment).
We need to run several commands that are only accessible and runnable by root.
At this moment we use the sudoers file with this setup:
root ALL=(ALL) ALL
www-data ALL = NOPASSWD: /bin/cat, /bin/grep, /bin/chown, /bin/chgrp,\
/usr/sbin/useradd, /bin/chmod, /usr/bin/smbpasswd, \
/bin/mkdir, /usr/sbin/userdel, /usr/sbin/usermod, \
/bin/rm, /usr/bin/find, /usr/sbin/groupadd, /usr/sbin/groupmod, \
/usr/sbin/groupdel, /etc/init.d/samba reload, /bin/mv, /bin/ls, /usr/bin/du
According to our bosses, that's way too much. And indeed, it could pose a major security leak.
Our intnetion is, to write a script which handles all of these commands with their appropriate options used in our scripts. And they only want one command for www-data to run as root.
So all these commands must come in one script run by sudoers.
We wonder how we can write such a script...can we write it in PHP or does it have to be a shell script?
And what needs to be in the script?
We have no idea how to do this, and close this security leak.