I have a set of storage directories on Linux machines, all 770/root:root (perms/owner:group), for which I use ACLs to manage users access. (I am unable to use unix groups as the directories are shared across a network, where groups are managed via LDAP for which I'm not an admin).
For each directory, one user has full rwx access via ACLs, and all others have rx access via ACLs.
Currently, I have to manually respond to requests to add/remove users, and I'd like this ability to be passed onto the 'rwx' users for the directories they own (because I'm a lazy sysadmin, naturally).
The best solution I can think of is to create a script/program with root setuid that checks for the 'rwx' ACL status of the calling user on the given directory, and allows them to add/remove 'rx' ACL users, as in:
$ modify_acls.sh [--remove] [--add] <my_directory> <other_user>
Is there an easier way of doing it, or will the solution above not work for any reason?
Best Answer
Instead of a setuid shell script, consider enabling a specific script with
sudo.Even though it's used most often this way,
sudoisn't restricted to "allow someone to execute any program as root". You can easily configure "user A, B and C are allowed to execute only this particular script as root" in/etc/sudoers. Seeman sudoersfor details.There isn't really an advantage of using
sudoinstead of a setuid script, except that on systems where setuid scripts are completely disabled for security reasons, the second alternative just won't work at all. You still could write a custom setuid binary, but inserting a line intosudoersis simpler, quicker and easier to change later on when you want to add or remove users.