sudo chown - prevent ../

Solution 1:

sudo introduces inherent security risks and it is generally ill advised to give to users that don't have high levels of trust.

Why not limit simply to recursive chown for the parent directory?

sudoers primarily uses globbing. According to the manpage, it doesn't match / on wildcards. More details in the manpage.

As far as a more advanced solution, a script should do the trick.

[root@server wmoore]# egrep '^wmoore' /etc/sudoers
wmoore ALL= NOPASSWD: /bin/chown -[RPfchv] wmoore\:wmoore /home/wmoore/[a-zA-Z0-9]*

[wmoore@server ~]$ sudo -l
User wmoore may run the following commands on this host:
    (root) NOPASSWD: /bin/chown -[RPfchv] wmoore:wmoore /home/wmoore/[a-zA-Z0-9]*

[wmoore@server ~]$ sudo chown -R wmoore:wmoore /home/wmoore/../../tmp/test
Sorry, user wmoore is not allowed to execute '/bin/chown -R wmoore:wmoore /home/wmoore/../../tmp/test' as root on server.

Oh, right. sudo package:

Name        : sudo                         Relocations: (not relocatable)
Version     : 1.6.9p17                          Vendor: CentOS
Release     : 3.el5_3.1                     Build Date: Tue 24 Mar 2009 07:55:42 PM EDT

CentOS5.

Solution 2:

Try making a 'chroot replacement' script, which validates input before doing the chown() thing. Then add this script instead of /bin/chown to sudoers file. You may then set up 'chown' alias for users if that is needed.

On the other hand, are you sure your users need to do chown with root privileges? Maybe sgid or suid bits on the directories will solve your problem?