1

On our server, there are multiple (currently two, expected three or four) users allowed to deploy a new version of our application. This process consists of downloading a few files from a trusted source git repository and starting the application (a non-privileged process).

This all gets done using a single script and takes a couple of seconds. Unless another user has left there files or directories with wrong permissions or group.

Then the deployment fails and we execute

sudo chgrp -R sudo      /our/root/directory
sudo chmod -R g=u,o-rwx /our/root/directory &&

I'd like to allow us to do this without the need to enter a password.

I know that setuid doesn't work on a shell script (for a good reason). I thought of using a setuid perl script, but it's no more supported. I could write a C wrapper and a script, but having two files sounds neither comfortable nor secure. I could write the whole stuff in C using system calls, but it'd take me ages.

So I'm asking: What's a simple and secure way to achieve this? Writing some short C code is OK.

It's Ubuntu 16.04 in case it matters.

(*) We're using the group sudo and permission rwxrwx--- or rw-rw---- for the whole tree.

maaartinus
  • 5,059

4 Answers4

2

Write a shell script and give the applicable users permissions to invoke it with sudo. Use the NOPASSWD directive if you don't want the users to have to type their password (note that order matters, see How to run a specific program as root without a password prompt?).

Make sure that sudo is set up to remove all variables from the environment except for a few safe ones (e.g. LC_* and LANG). This is the case by default on Ubuntu anyway, so on Ubuntu you don't need the Defaults line unless you've changed the env_reset setting.

Defaults!/usr/local/bin/fix-our-permissions env_reset
%our-app-maintainers ALL = NOPASSWD: /usr/local/bin/fix-our-permissions

Alternatively, have people access the deployment area through a filesystem that imposes fixed ownership and permissions, such as a bindfs. See Automatically change file permission upon write to a folder and All files created in directory should be owned by bob

But really, nobody should be deploying manually. Deployment should be triggered manually, but it should be performed by an automated service which runs in a system user account, grabs a version from CI, downloads it and restarts the daemon.

Gilles 'SO- stop being evil'
  • 829,060
1

I think you can do a programme wich monitor your folder, and if he find some trouble he change permission of folder or content, you do this in Crontab (root), or you run it as a service (root). this is an alternative.

Hamza Jabbour
  • 481
0

You could change umask for those users to use the exact chmod that you want, this way every single archive they enter in the system would start with that defined set of permissions

leave you the link here

Christopher Díaz Riveros
  • 1,610
0

You could use ACLs (setfacl); that may prevent the premission problems.

An alternative is that you download the files into a new, empty folder and replace the old one afterwards. This can be done atomically by overwriting a symlink to this folder (ln -sf).

Hauke Laging
  • 90,279