Allowing a non-root user to run chown in a chroot like environment

Published January 6th, 2009

Problem Statement

By laws of the universe, Linux systems such as CentOS will not allow a non-root user to change file ownership using the chown command. It is restricted for good reasons. However, in Web production environment where you need other admins to work on files that are often created by multiple users such as the Web server itself or another user, it becomes problematic as root access is often the only way to go. However, in this hack we will demonstrate how you can create a relatively safe (nothing is ever safe) shell script that can be executed by a non-root user using the sudo facility.

Step 1: Configuring the chroot_chown script for your system

Follow the steps below:

1. Download the chroot_chown shell script and rename it to chroot_chown. Next, using your favorite editor (of course, vi) open the file for editing. Review the following lines:

   ROOT_DIR='\/mnt\/www\/production\/'
   SAFE_ROOT_DIR=/mnt/www/production
   USER=production
   GROUP=httpd

2. Change the ROOT_DIR value so that it set to the root directory from which the non-root user is allowed access to change ownership. If you set this to /, user will be able to change ownership from anywhere, which would defeat the entire purpose of chrooting the script! So BE CAREFUL when you set this variable. Also, you have to escape the forward-slash characters as we have shown above.
3. Set the SAFE_ROOT_DIR to the same directory as ROOT_DIR without escaping the forward-slash characters
4. Set the USER and GROUP variables to desired username and group name that you want to allow. This username and group will be set for any directory for which the non-root user attempts to change ownership. This is extra protection since we do not want the non-root user to intentionally or unintentionally change the ownership of a file to say ‘root’ and take over the server. :)
5. Save the file with your changes

Step 2: Installing the script and setting its permissions

Follow the steps below:

1. Copy the chroot_chown script to /usr/bin directory
2. Run chmod 755 /usr/bin/chroot_chown
3. Run chown root:root /usr/bin/chroot_chown to ensure that the script is owned by root and cannot be altered by any other users

Step 3: Configuring sudo to allow a non-root user to run the chroot_chown script

Follow the steps below:

1. Edit the /etc/sudoers file and a line such as the one shown below:

   %groupname ALL=/usr/bin/chroot_chown

2. Change the %groupname to desired group name of the non-root users who can run the chroot_chown script. For example:

   %ops ALL=/usr/bin/chroot_chown

   This allows the users in ops group to run the script.

3. Save your changes.

Step 4: Testing the chroot_chown script

Now as a non-root user in the group who can run the chroot_chown do the following:

$ sudo chroot_chown /path/you/want/to/change/ownership

For example:

$ sudo chroot_chown /mnt/www/production/tmp

The user will be asked to enter her password once and if the password is correct, she will be allowed to change the ownership of the named file or directory to the username and group set in USER and GROUP variables in the /usr/bin/chroot_chown script.

Now if you think that one of your users can trick the script in changing a critical file permission, yes we thought about it and thought about it for awhile and took some measures that should stop such an effort. For example:

$ sudo chroot_chown /etc/passwd

This will fail as the script will automatically set the prefix of the path to $SAFE_ROOT_DIR/etc/passwd which does not exists. So if someone is a bit more interested and tries:

$ sudo chroot_chown /mnt/www/production/../../../etc/passwd

This will fail as the script will catch the .. pattern and print a message like:

Don't be a smarty pant! You cannot have .. in your path.

Category: Security | Tags: