Need to run it through some amount of "root profiling". You need the
effect of
sudo su -
except that you want to also limit them to >one< command. Could
probably script it, and still relatively safe.
-- R,
Rob van der Heij <[EMAIL PROTECTED]>
Sent by: Linux on 390 Port <LINUX-390@VM.MARIST.EDU>
07/10/2006 01:56 PM
Please respond to Linux on 390 Port <LINUX-390@VM.MARIST.EDU>
From
Rob van der Heij <[EMAIL PROTECTED]>
To
LINUX-390@VM.MARIST.EDU
cc
Subject
Re: starting apache
On 7/10/06, David Boyes <[EMAIL PROTECTED]> wrote:
> That's why you allow them only the init script. The init template
> provided with most distributions does not depend on the environment
> beyond the basics. If you let them run a shell in any form, then yes,
> you will lose.
You made me double check, and I found I was indeed right...
[EMAIL PROTECTED]:~> sudo /etc/init.d/apache restart
Shutting down httpd/etc/init.d/apache: line 158: killproc: command not
found
failed
Starting httpd [ Mailman PERL PHP4 Python ]/etc/init.d/apache: line
121: startproc: command not found
done
And even if it worked, these shell scripts are not robust enough to
run under sudo. Frequently they allow environment variables to
override essential things and they source configuration files that you
may not all protect. IMHO letting people run this under sudo only
provides the illusion of security.
Rob
--
Rob van der Heij
Velocity Software, Inc
http://velocitysoftware.com/
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
