允许用户在sudo中使用-D (-chdir)选项
允许用户在sudo中使用-D (-chdir)选项
提问于 2022-08-17 21:27:36
我想让用户bob能够在sudo中使用-D选项(就像在/home上打开根shell的sudo -D /home bash一样)。
我怎样才能做到这一点,对安全有什么影响呢?
回答 1
Server Fault用户
回答已采纳
发布于 2022-08-18 13:59:14
该选项相对较新(引入该功能的变更记录项是从2020-09-01开始的,Ubuntu支持只是启动Ubuntu 21)
-D directory, --chdir=directory
Run the command in the specified directory instead of the current working
directory. The security policy may return an error if the user does not have
permission to specify the working directory./etc/sudoers中的关联设置是:
runcwd If set, sudo will use this value for the working directory when running a
command. The special value “*” will allow the user to specify the working
directory via sudo's -D option. See the Chdir_Spec section for more details.
....
Chdir_Spec
The working directory that the command will be run in can be specified using the CWD
setting. The directory must be a fully-qualified path name beginning with a ‘/’ or ‘~’
character, or the special value “*”. A value of “*” indicates that the user may specify the
working directory by running sudo with the -D option. By default, commands are run from the
invoking user's current working directory, unless the -i option is given. Path names of the
form ~user/path/name are interpreted as being relative to the named user's home directory.
If the user name is omitted, the path will be relative to the runas user's home directory.
This setting is only supported by version 1.9.3 or higher我手头没有合适的系统,但我认为您可以允许用户使用alice和bob权限来使用-D:
# /etc/sudoers or include from /etc/sudoers.d/
...
# Modify the defaults for the members of User_Alias USERLIST
Defaults:USERLIST runcwd=*
# User alias specification
User_Alias USERLIST = alice, bob至于安全问题:我觉得没有资格说是否有任何风险,或者它是否提供了新的滥用途径。我也没有找到任何赞成或反对runcwd=*的建议,只是粗略地搜索一下。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1108438
复制相关文章
相似问题
腾讯云开发者
