We are using sudo users with limited commands to execute and assigned default home directory /home/sudouser but if that particular sudo user is running command cd \ its changing the directory to the main root directory /. This behaviour is totally insecure for us.
We need it such that if the sudo user is entering cd / or cd it changes directory to their home directory /home/sudouser
Please let us know how we can implement this?
Don't ever try to restrict a sudo user to only a directory or a command, a sudo user can by definition do what he wants.
In your case, having a script that assigns the home directory is I think a better idea. To solve the trouble of permissions look for the suid bit in permissions: http://www.linuxnix.com/suid-set-suid-linuxunix/
For example: create a sh file that has the following permissions: "-rwsr--r--" that is owned by root and as a group that can be accessed by the user whom you want to use the script.
Then in the file you create a simple script to execute the command to change default directory with let's say two parameters (username and directory)
Related
As a web developer I always have the problem when updating PHP (and other) files from an SSH client, because I am logged in as a user or simply root.
After that update I always have to run manually from a terminal 'chown -R apache:apache *' to make the files accessible.
I tried to make a user ID and add it to the group 'apache' and add the apache user to the group of my user id. That works only for existing files on the server file system, because newly created files have permissions rwxr--r-- which does not allow writing by my user even as it is in the 'apache' group.
I'd like to make a login (shell is not needed) for the Apache user, so I can use an SSH based file browser like Forklift to login as Apache or use sshfs to mount as Apache user.
Another way is make umask that my user id always sets attributes of newly created files from sshfs mount or a file browser (mounted with my user id, not root) that they have permission rwxrwxr-- (i.e. 0775) by default.
Is there a way I can upload files to the server (updating existing op create new ones) without having to worry about permissions by Apache ?
You have to set the setgid
For example, do the following steps:
adduser hugo
addgroup apache
usermod -a -G apache hugo
mkdir /tmp/example
chown hugo:apache /tmp/example
chmod g+s /tmp/example
su hugo
cd /tmp/example
touch my_file
ls -l
I am currently working on a bash script which has a user that is created for the job it is running. The user does not exist outside of the script. I am trying to test my code coverage while leaving the user intact.
exec aa-exec -p test-user -- coverage run --source=/test/server ./main.py
The problem is that the test-user does not have access to the code coverage folder. After running chmod -R 777 /usr/local/bin/coverage I still get /usr/bin/python: can't open file '/usr/local/bin/coverage': [Errno 13] Permission denied. I have also tried to temporarily elevate the user inside the bash script using sudo, but because the user only exists inside the file, the sudoers file throws an exception.
I am currently out of ideas since the permissions for this user have to remain restricted ideally. Any suggestions?
Have you checked, that the user has access to each of the directories above?
I.e. the user needs to have 'x' and 'r' rights to each of these directories:
/usr
/usr/local
/usr/local/bin
Linux System: Ubuntu 14.04 LTS
I copy some app (like xxx) to the /opt folder to be used also by another user-accounts. Then to start it I use:
sudo /opt/xxx_folder/xxx
(of course, links to /usr/local/bin or /usr/bin, etc.) to start it;
Problem: I'm storing the results/projects of the app to my local folder ( like /home/myuser/xxx_data). And of course the folder and it's data xxx_data belongs to root (not myuser). So I have to change the owner every time I want to edit those files using another app not as a root.
Question: is there a way to install an app xxx to /opt so, that I don't need to start them as a root?
OR maybe you see another way to solve this 'root-user-problem?'
You can add execute permission to any file like this.
sudo chmod +x file.sh
If you want to do that for all files in that folder try this:
sudo chmod +x /opt/*
Note the +x just adds execute permission to your logged in user. I think all users have read (+r) by default so if you also want to add write permission:
sudo chmod +xw /opt/*
Personally I keep all my custom scripts in a bin folder e.g. /opt/bin/ and just do:
sudo chmod +x /opt/bin/*
To run the script without the full path add the bin or full opt folder to your path by adding the following to ~/bashrc file:
PATH=$PATH:/opt/bin
If you don't end up using the bin folder, edit above to be /opt instead of /opt/bin.
I am having a cent-OS server with 5 accounts: developer, user1 ,user2 ,user3 and user4. All the user home directories are under /home like /home/developer, /home/user1, /home/user2, /home/user3 and /home/user4. I want to create a 4 scripts: user1.sh, user2.sh, user3.sh and user4.sh inside the /home/developer folder. When the user developer run the script user1.sh, he switches to the user1 and cd to the home directory of user1 (/home/user1) and so on for the remaining scripts. The idea behind is to keep the developer from the root access and allow switch to other user's home directory by simple executing a command with that user's name. Is it possible?
I suppose you're looking at su - otherUser
Of course, you'll have to provide the password of the other user.
I suppose that something like sudo su - otherUser could work but I haven't tried
in Linux:
I want to limited user only can do sudo on specify path.
sudo chmod works on /home/Krome/revA
but sudo chmod failed on /home/Krome
Thanks!
Restricting a user or process to a certain path can be done with chroot - the problem here is that after the chroot the commands in $PATH and dynamically loaded objects would no longer be accessible, so you'd need a statically linked shell which executes the chroot as well as the built-in commands that the user shall be able to issue.
I don't think it possible, and am pretty sure it's not reasonable.
chmod would work inside /home/Krome if it's the user's home folder.
I think you need a regular user (without sudo), and everything else can be managed by adding that user to groups and sharing some folders to those groups.
Add to /etc/sudoers something like the following line:
%users ALL = NOPASSWD: /bin/chmod [ugoa][-+=][rwxXst] /home/Krome/*
It basically says that all group users members can invoke sudo chmod in symbolic mode on anything under /home/Krome/ path.
See man sudo for more details.