Ubuntu

允許使用者在 sudo 中使用 -D (–chdir) 選項

  • August 18, 2022

我想讓使用者bob能夠使用-Din 中的選項sudo(就像sudo -D /home bash在 上打開 root shell一樣/home)。

我該怎麼做?這對安全有什麼影響?

該選項相對較新(引入該功能的Changelog 條目是從 2020-09-01 開始的,並且僅從 Ubuntu 21 開始引入了 Ubuntu 支持)

man sudo

-D directory, --chdir=directory
            Run the command in the specified directory instead of the current working
            directory.  The security policy may return an error if the user does not have
            permission to specify the working directory.

中的相關設置/etc/sudoers是:

runcwd        If set, sudo will use this value for the working directory when running a
              command.  The special value “*” will allow the user to specify the working
              directory via sudo's -D option.  See the Chdir_Spec section for more details.

 ....
Chdir_Spec

The working directory that the command will be run in can be specified using the CWD
setting.  The directory must be a fully-qualified path name beginning with a ‘/’ or ‘~’
character, or the special value “*”.  A value of “*” indicates that the user may specify the
working directory by running sudo with the -D option.  By default, commands are run from the
invoking user's current working directory, unless the -i option is given.  Path names of the
form ~user/path/name are interpreted as being relative to the named user's home directory.
If the user name is omitted, the path will be relative to the runas user's home directory.

This setting is only supported by version 1.9.3 or higher

我手頭沒有合適的系統,但我認為您可以允許使用者alicebob權限使用-D

# /etc/sudoers or include from /etc/sudoers.d/
...
# Modify the defaults for the members of User_Alias USERLIST

Defaults:USERLIST   runcwd=*

# User alias specification

User_Alias  USERLIST = alice, bob

至於安全隱患:我覺得沒有資格說是否存在任何風險,或者它是否提供了新的濫用途徑。runcwd=* 通過粗略的搜尋,我也找不到任何讚成或反對的建議。

引用自:https://serverfault.com/questions/1108438