Need to run it through some amount of "root profiling". You need the effect of
sudo su - except that you want to also limit them to >one< command. Could probably script it, and still relatively safe. -- R, Rob van der Heij <[EMAIL PROTECTED]> Sent by: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> 07/10/2006 01:56 PM Please respond to Linux on 390 Port <LINUX-390@VM.MARIST.EDU> From Rob van der Heij <[EMAIL PROTECTED]> To LINUX-390@VM.MARIST.EDU cc Subject Re: starting apache On 7/10/06, David Boyes <[EMAIL PROTECTED]> wrote: > That's why you allow them only the init script. The init template > provided with most distributions does not depend on the environment > beyond the basics. If you let them run a shell in any form, then yes, > you will lose. You made me double check, and I found I was indeed right... [EMAIL PROTECTED]:~> sudo /etc/init.d/apache restart Shutting down httpd/etc/init.d/apache: line 158: killproc: command not found failed Starting httpd [ Mailman PERL PHP4 Python ]/etc/init.d/apache: line 121: startproc: command not found done And even if it worked, these shell scripts are not robust enough to run under sudo. Frequently they allow environment variables to override essential things and they source configuration files that you may not all protect. IMHO letting people run this under sudo only provides the illusion of security. Rob -- Rob van der Heij Velocity Software, Inc http://velocitysoftware.com/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390