Join Log in
Score:1
avatar Server

sudo file in sudoers - why user can modify file?

cn flag
SledgehammerPL

I want to allow one user to run specialscript.sh as root

so in his folder i created

-rwxr----  1 root deployers     142 Jul 16 14:07 specialscript.sh

and in sudoers.d/specialscripts:

user123 ALL=(root) NOPASSWD: /home/user123/specialscript.sh



$ sudo specialscript.sh
Running script as user root
$

perfect

other users can't access to /home/user123 files - so it is secure. if some user moves it to other folder it won't work.

BUT

because user is in group deployers he can see the content of this file (and this is intentional).

BUT he can also edit this file. After save the ownership changed to

-rwxr----  1 user123 user123    142 Jul 16 14:07 specialscript.sh

BUT he can still run it as root...

$ sudo specialscript.sh
Running script as user root
HAHAHA! I CAN RUN rm -rf!
$

for now the only prevention i can see is to change group or remove read (which prevents reading) or chattr +i /home/user123/specialscript.sh

but this is not obvious behaviour...

57
1 + 6
jp flag
Esa Jokinen
I am unable to reproduce this. If I try to edit the file, it is unwritable, as it should be.
0
Reply
jp flag
Esa Jokinen
What are permissions of the parent directory, `/home/user123`?
1
Reply
djdomi avatar
za flag
djdomi
i think there is a lot if missing information, please see [ask] imho, if you put test.sh in user1 and user2 has sudo rights, then he can run but not edit the file over sudo due the limiation, but if user1 will be used for login - there will no protection moreover, a chmod 711 would be enough in my mind - because excetion does not require read rights
0
Reply
jp flag
AlexD
If the user has write permissions to the parent directory, `/home/user123`, then he can remove and re-create the file with the same name.
1
Reply
cn flag
Nasir Riley
Why not just avoid all of this and put the file in another directory with the same permissions for both the file and the directory. That way, `user123` doesn't own the file and can't delete it and create another file with the same name that doesn't else that isn't wanted?
2
Reply
cn flag
SledgehammerPL
permissions of parent directory are default, folder was created by adduser user123
0
Reply
Score:2
avatar Server
jp flag
Esa Jokinen

The owner of the parent directory cannot edit the file, but can remove & recreate it:

Removal:

$ ls -aslh
total 8,0K
4,0K drwxr-xr-x 2 user user 4,0K 17. 7. 12:35 .
4,0K drwxr-xr-x 6 user user 4,0K 17. 7. 12:34 ..
   0 -rwxr-x--- 1 root adm     0 17. 7. 12:35 test.sh
$ rm test.sh 
rm: remove write-protected regular empty file 'test.sh'? y

Re-creation with a different user (inherited from the parent directory):

$ touch test.sh
$ chmod 750 test.sh 
$ ls -aslh
total 8,0K
4,0K drwxr-xr-x 2 user user 4,0K 17. 7. 12:36 .
4,0K drwxr-xr-x 6 user user 4,0K 17. 7. 12:34 ..
   0 -rwxr-x--- 1 user user    0 17. 7. 12:36 test.sh

To prevent this, place the script in a path where all the parent directories are owned by root:root. By the Linux directory structure convention, such path would be /usr/local/sbin/script.sh.

The /usr/local directory is where locally compiled applications install to by default — this prevents them from mucking up the rest of the system.

The /sbin directory is similar to the /bin directory. It contains essential binaries that are generally intended to be run by the root user for system administration.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.