Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How to make a normal user use the 'chown' command
- Thread starter kmoekmio
- Start date
RodKnowlton
MIS
- Apr 26, 2000
- 1,005
Your best bet will be [tt]sudo[/tt].
Another option (not for anyone that isn't fully aware of the ramifications), would be to create an executable that does the chown you need, and set it suid.
- Rod
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
Wish you could view posts with a fixed font? Got Firefox & Greasemonkey? Give yourself the option.
Another option (not for anyone that isn't fully aware of the ramifications), would be to create an executable that does the chown you need, and set it suid.
- Rod
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
Wish you could view posts with a fixed font? Got Firefox & Greasemonkey? Give yourself the option.
I would prefer to use sudo inside a script (if you want to call it chown) and put it in the home directory of the user.
I just have a bad experience with users when they know that they can do things under root permissions! they will ask more and more!
Sometimes the user is naive and won't even notice that it is a script located in his home directory!
Regards,
Khalid
I just have a bad experience with users when they know that they can do things under root permissions! they will ask more and more!
Sometimes the user is naive and won't even notice that it is a script located in his home directory!
Regards,
Khalid
RodKnowlton
MIS
- Apr 26, 2000
- 1,005
Good point, Khalid. I use wrappers for sudo use by non-operational users, and sometimes for the operators as well.
- Rod
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
Wish you could view posts with a fixed font? Got Firefox & Greasemonkey? Give yourself the option.
- Rod
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
Wish you could view posts with a fixed font? Got Firefox & Greasemonkey? Give yourself the option.
At the risk of stating the obvious, make sure you tie down the chown process. Here's an example of how I got it wrong.
I inherited a legacy script which include the line
never mind why the original coder felt he needed the data file to be owned by root, but he did. I wrote a wrapper for this so that the user could only use chown in exactly that format but it was pointed out to me that the user could
[ol]
[li]write a 'C' program which included a command to switch user to root and run ksh[/li]
[li]rename this program data file[/li]
[li]chmod 6755 data_file[/li]
[li]sudo chown root:sys data_file[/li]
[/ol]and, bingo, the user has root access.
Fortunately for me it turned out that the data_file didn't need to be owned by root and we could simply drop the line from the script.
Ceci n'est pas une signature
Columb Healy
I inherited a legacy script which include the line
Code:
chown root:sys data_file[ol]
[li]write a 'C' program which included a command to switch user to root and run ksh[/li]
[li]rename this program data file[/li]
[li]chmod 6755 data_file[/li]
[li]sudo chown root:sys data_file[/li]
[/ol]and, bingo, the user has root access.
Fortunately for me it turned out that the data_file didn't need to be owned by root and we could simply drop the line from the script.
Ceci n'est pas une signature
Columb Healy
RodKnowlton
MIS
- Apr 26, 2000
- 1,005
columb,
They wouldn't even have to work that hard.
[ol]
[li][tt]cp `which ksh` ./data_file[/tt][/li]
[li][tt]chmod 6755 ./data_file[/tt][/li]
[li][tt]sudo chown root:sys ./data_file[/tt][/li]
[/ol]
For someone that sits around figuring out ways to break his own security, I sure gave a fast and loose answer to the original poster.
Proper Addendum
To grant the right to run a process as root to a regular user:
[ol]
[li]Create a script to launch the process, but only after mitigating all means of abuse within the script (checking paths, permissions, etc)[/li]
[li]Set the script to root ownership and 700 permissions[/li]
[li]Grant sudo access to run the script for the user[/li]
[/ol]
- Rod
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
Wish you could view posts with a fixed font? Got Firefox & Greasemonkey? Give yourself the option.
They wouldn't even have to work that hard.
[ol]
[li][tt]cp `which ksh` ./data_file[/tt][/li]
[li][tt]chmod 6755 ./data_file[/tt][/li]
[li][tt]sudo chown root:sys ./data_file[/tt][/li]
[/ol]
For someone that sits around figuring out ways to break his own security, I sure gave a fast and loose answer to the original poster.
Proper Addendum
To grant the right to run a process as root to a regular user:
[ol]
[li]Create a script to launch the process, but only after mitigating all means of abuse within the script (checking paths, permissions, etc)[/li]
[li]Set the script to root ownership and 700 permissions[/li]
[li]Grant sudo access to run the script for the user[/li]
[/ol]
- Rod
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
Wish you could view posts with a fixed font? Got Firefox & Greasemonkey? Give yourself the option.
A reasonably simple answer to the security issue might be a script which looks something like
You might want to put in more checks (do you want to allow Jo User to chown files in /bin for example - see Rod's post) but you get the point. This script can then be set 755 permissions and run under sudo.
Ceci n'est pas une signature
Columb Healy
Code:
#!/bin/ksh
[[ $# -eq 3 ]] || { echo invalid parameter count; exit; }
[[ -u $1 ]] && { echo you are not allowed to chown files with the suid bit set; exit; }
[[ -g $1 ]] && { echo you are not allowed to chown files with the setgid bit set; exit; }
[[ -x $1 ]] && { echo you are not alowed to chown executables; exit; }
chown $2:$3 $1Ceci n'est pas une signature
Columb Healy
RodKnowlton
MIS
- Apr 26, 2000
- 1,005
columb said:
I prefer 700. Only root needs to read it for a sudo execution, and 755 makes it easier for the user to find any exploit I may have missed.
I always assume my enemy is smarter and more informed than I am, and obscurity is good as part of security in depth.
- Rod
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
Wish you could view posts with a fixed font? Got Firefox & Greasemonkey? Give yourself the option.
- Status
Similar threads
- Locked
- Question