Ubuntu
允許使用者在 sudo 中使用 -D (–chdir) 選項
我想讓使用者
bob
能夠使用-D
in 中的選項sudo
(就像sudo -D /home bash
在 上打開 root shell一樣/home
)。我該怎麼做?這對安全有什麼影響?
該選項相對較新(引入該功能的Changelog 條目是從 2020-09-01 開始的,並且僅從 Ubuntu 21 開始引入了 Ubuntu 支持)
-D directory, --chdir=directory Run the command in the specified directory instead of the current working directory. The security policy may return an error if the user does not have permission to specify the working directory.
中的相關設置
/etc/sudoers
是:runcwd If set, sudo will use this value for the working directory when running a command. The special value “*” will allow the user to specify the working directory via sudo's -D option. See the Chdir_Spec section for more details. .... Chdir_Spec The working directory that the command will be run in can be specified using the CWD setting. The directory must be a fully-qualified path name beginning with a ‘/’ or ‘~’ character, or the special value “*”. A value of “*” indicates that the user may specify the working directory by running sudo with the -D option. By default, commands are run from the invoking user's current working directory, unless the -i option is given. Path names of the form ~user/path/name are interpreted as being relative to the named user's home directory. If the user name is omitted, the path will be relative to the runas user's home directory. This setting is only supported by version 1.9.3 or higher
我手頭沒有合適的系統,但我認為您可以允許使用者
alice
和bob
權限使用-D
:# /etc/sudoers or include from /etc/sudoers.d/ ... # Modify the defaults for the members of User_Alias USERLIST Defaults:USERLIST runcwd=* # User alias specification User_Alias USERLIST = alice, bob
至於安全隱患:我覺得沒有資格說是否存在任何風險,或者它是否提供了新的濫用途徑。
runcwd=*
通過粗略的搜尋,我也找不到任何讚成或反對的建議。