Security Implications and Best Practices for Granting chown Privileges in Sudoers File


2 views

The proposed sudoers entry:

mike ALL= NOPASSWD:/bin/chown -R www-data\\:www-data /var/www

grants user 'mike' passwordless sudo access to a specific chown command with exact parameters. This is more secure than blanket chown privileges, but still requires careful consideration.

While restricted to a specific command, several vectors remain:

  • Symbolic link attacks if /var/www contains user-writable directories
  • Potential privilege escalation if www-data has special permissions elsewhere
  • Race conditions between checking and modifying permissions

For web directory ownership management, these approaches might be preferable:

1. Group-based Permissions

sudo groupadd webadmins
sudo usermod -a -G webadmins mike
sudo chown -R www-data:webadmins /var/www
sudo chmod -R 2775 /var/www

2. Restricted Sudo with Additional Safeguards

mike ALL= (www-data) NOPASSWD: /bin/chown -R www-data\\:www-data /var/www/

Note the trailing slash to prevent path traversal.

If you proceed with the original sudoers entry:

  • Audit /var/www regularly for unexpected symlinks
  • Consider making /var/www immutable where possible
    • sudo chattr +i /var/www/config/
  • Implement monitoring for ownership changes

After implementation, verify the restriction works as intended:

# Should work:
sudo chown -R www-data:www-data /var/www

# Should fail:
sudo chown -R www-data:www-data /etc
sudo chown -R root:root /var/www

When configuring sudo permissions for specific commands, we must carefully consider the security implications. The example shows a sudoers entry granting user 'mike' passwordless access to run:

mike ALL= NOPASSWD:/bin/chown -R www-data\\:www-data /var/www

This allows executing exactly one command variant:

sudo chown -R www-data:www-data /var/www

The configuration appears reasonably safe when:

  • The command path is fully qualified (/bin/chown)
  • Arguments are explicitly specified (-R www-data:www-data /var/www)
  • The command doesn't contain wildcards or relative paths
  • The web user (www-data) has limited system privileges

However, consider these attack vectors:

# Symlink attack possibility
ln -s /etc/passwd /var/www/malicious
sudo chown -R www-data:www-data /var/www/malicious

Mitigation options:

# Option 1: Restrict to specific subdirectory
mike ALL= NOPASSWD:/bin/chown -R www-data\\:www-data /var/www/html

# Option 2: Use chown with --no-dereference flag
mike ALL= NOPASSWD:/bin/chown -R --no-dereference www-data\\:www-data /var/www

Instead of sudo, consider these more secure alternatives:

# Option 1: Set directory setgid bit
chmod g+s /var/www
chgrp www-data /var/www

# Option 2: ACL permissions
setfacl -R -m g:www-data:rwx /var/www
setfacl -dR -m g:www-data:rwx /var/www
  • Always use full command paths
  • Specify exact arguments when possible
  • Consider using SELinux/AppArmor for finer-grained control
  • Regularly audit sudo usage with 'sudo -l' and auth logs

For a production environment, I recommend:

# /etc/sudoers.d/web-permissions
Cmnd_Alias WWW_OWNER = /bin/chown -R www-data\\:www-data /var/www/html, \\
                       /bin/find /var/www/html -type d -exec chmod 2750 {} \\;, \\
                       /bin/find /var/www/html -type f -exec chmod 640 {} \\;

mike ALL=(root) NOPASSWD: WWW_OWNER