%20%E9%80%89%E9%A1%B9.png)
我想让用户bob能够使用-D中的选项sudo(就像sudo -D /home bash打开 root shell一样/home)。
我该如何做到这一点以及这样做的安全隐患是什么?
答案1
该选项相对较新(变更日志条目引入该功能的时间是 2020-09-01,而 Ubuntu 支持是从 Ubuntu 21 开始引入的)
-D directory, --chdir=directory
Run the command in the specified directory instead of the current working
directory. The security policy may return an error if the user does not have
permission to specify the working directory.
相关设置在/etc/sudoers是:
runcwd If set, sudo will use this value for the working directory when running a
command. The special value “*” will allow the user to specify the working
directory via sudo's -D option. See the Chdir_Spec section for more details.
....
Chdir_Spec
The working directory that the command will be run in can be specified using the CWD
setting. The directory must be a fully-qualified path name beginning with a ‘/’ or ‘~’
character, or the special value “*”. A value of “*” indicates that the user may specify the
working directory by running sudo with the -D option. By default, commands are run from the
invoking user's current working directory, unless the -i option is given. Path names of the
form ~user/path/name are interpreted as being relative to the named user's home directory.
If the user name is omitted, the path will be relative to the runas user's home directory.
This setting is only supported by version 1.9.3 or higher
我手头没有合适的系统,但我认为您可以允许用户alice和bob权限使用-D:
# /etc/sudoers or include from /etc/sudoers.d/
...
# Modify the defaults for the members of User_Alias USERLIST
Defaults:USERLIST runcwd=*
# User alias specification
User_Alias USERLIST = alice, bob
至于安全隐患:我觉得自己没有资格说它是否存在风险,或者它是否提供了新的滥用途径。我runcwd=* 粗略搜索了一下,也没找到任何赞成或反对的建议。