Limit sudo to only one directory and it's subdirectories by sudoers file

linux apache-2.2 chmod sudo chown

So I would like to limit Apache to only change permissions in a certain folder and all of it's sub-directories, so this is what I have in my sudoers file

apache ALL= (ALL) NOPASSWD: /bin/chmod -R [g+ws] /var/www/sites/[a-z]+

But that does not appear to work. I sure I could get it to work by removing the restriction on the subfolder, but that seems dangerous as it would give a potential hacker unlimited access.

So is there a way to limit apache to only change files and folders within the "sites" folder or am I stuck giving unlimited access with chmod / chown?

Are there any big security holes using this approach?


Solution 1:

It's probably better to make the chmod command a shell script to be only run by root and then allow that command to be run in sudo.

Solution 2:

Ok, So apparently this does not use full regular expressions which I was expecting, a regular star did the trick:

apache ALL= (ALL) NOPASSWD: /bin/chmod -R [go]+ws /var/www/sites/*

This is very dangerous. It will open vulnerability in your server . What happen if a user manage to run chmod -R g+w /var/www/sites/../../../../etc/shadow?

Related

How to disable AES128 in Apache?
SQL Server 2008 - scheduled copy of production database into test and development databases
Iptables - Forwarding + Masquerading
Are there any benefits to using a Distributed vSwitch for iSCSI?
Robocopy silently missing files
rsyslog configuration syntax
Is there a limitations to the number of cores on Windows 7 64 operating system?
SMB2 traffic crashes network?
Domain User can RDP into Domain Controller?
Barracuda not delivering external email
Server installation logging / logbook / diary?
Grant access rights to a MySQL instance based on hostname instead of IP address?