/bin/chown is a suid program, I believe, and you are undoubtably using a newer version of visudo/sudoers that likes users and groups defined, like so?
a) You assign users to a group then assign commands to the group in the bottom part of the file: User_Alias ADMINS = joe, bill, jake User_Alias PARTTIME = jim, jeff, mike User_Alias LINUXGROUP = lyte, SirPlaya Cmnd alias specification This section is a way of grouping commands together. The syntax is: Cmnd_Alias COMMANDALIASNAME = command1,command2,etc... If you'd like to specify arguments, you can use [] and wildcards to make commands. For instance, one of the below aliases, USERS includes has /usr/sbin/adduser [A-z]*, which means that they can run /usr/sbin/adduser and must have an argument of a 1 or more letters. Cmnd_Alias BROWSE = /bin/ls, /bin/cd, /bin/cat Cmnd_Alias KILL = /bin/kill Cmnd_Alias USERS = /usr/sbin/adduser [A-z]*,/usr/sbin/userdel -r [A-z]* User privilege specification This is the User privilege section. This is where you give out the special priveleges to users, or user aliases using the aliases we have created above. The syntax is: USER HOST=COMMANDS Where USER can be either a user name or user alias, as well as HOST and COMMANDS. The below line allows root access to everything... this shouldn't be a problem as root can do whatever he/she wants anyway. root ALL=(ALL) ALL This next line will allow the users specified in the ADMINS alias (joe, bill, and jake) and give them access to everything as well. ADMINS ALL=ALL This next line will show you another interesting feature of sudo. This allows the users in the PARTTIME alias (jim,jeff,mike) to do all of the commands listed in USERS,KILL,and BROWSE aliases on all servers. In addition to that, they may run /usr/bin/passwd followed by a 1 letter word or more(username of password to change) but the last option says that they CANNOT change root's password. ! is used to represent the word "NOT" PARTTIME ALL=USERS,KILL,BROWSE,/usr/bin/passwd [A-z]*, !/usr/bin/passwd root This next line allows user "djg" access to everything on the hosts listed in the alias DJNET(djbox1 and djbox2). It IS my network after all. :) djg DJNET=ALL Finally, this last line allows the users listed in the alias LINUXGROUP (lyte and SirPlaya) access to ALL commands as user "www" and to all of the commands listed in the aliases KILL,USERS, and BROWSE on the servers listed in the alias LINUXHELP(lingroup1 and lingroup2). Follow this HowTo: http://www.linuxhelp.net/guides/sudo/ b) Another easy way to do this is to: 1) Chown the web directories to "webusers" group. #chown -R g+rwx /var/www/html Then 2) add that user to the group /etc/group of webusers. AND 3) Only if you don't have follow symlinks enabled outside of DocumentRoot (check in your httpd.conf, .htaccess files and virtual host configuration), enable group execute to the "/bin/chown" command: # chgrp webusers /bin/chown # chown g+rx /bin/chown That way they can all execute that file. Another fast way is to just add them to the wheel group of /etc/group and change the line in /etc/sudoers for wheel, but that gives them everything. On Tue, Jan 26, 2010 at 3:30 PM, David <da...@damnetwork.net> wrote: > Ok, I'm at the point of frustration with this one. I need to be able to give > a specific user access to change ownership on all files in the web directory. > > Ive added this to the /etc/sudoers file: > > xxxx1234 ALL = NOPASSWD: /bin/chown * > /var/www/html/invites > > Where xxxx1234 is the user I want to give access to. However, after doing > so, I get this: > > wwwphx:/var/www/html/invites>sudo chown vendor web.gif > Sorry, user xxxx1234 is not allowed to execute '/bin/chown vendor web.gif' as > root on server.name.com. > > I've tried various variations of said sudoer entry, with none working except > giving carte blance to the "chown" command, which I'm loathe to do. > > What am I doing wrong here? > > Thanks, > David > > -- > "I find your lack of faith disturbing." > --Darth Vader > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- Skype: (623)239-3392 AT&T: (503)754-4452 http://obnosis.110mb.com/nuke/index.php http://uncyclopedia.wikia.com/wiki/Arizona --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
