Re: sudo nopasswd rm
You only need write access to the directory to delete files (unless the sticky bit is set). Make the dir writable by a group the shell script runs as. IMHO, this is very bad advice (at least unless you know much more about the context of Marco's question). Directory write access is very powerful. It does not only allow to delete files, but also create new files, to change the ownership of files (by copying them and deleting the original) und thus ultimately to change the contents of all files in the directory. On top of that, depending on the context, it might be a bad idea to make the whole shell script SGID - this is a possible violation of the principle of least privilege. Yes you're right, I was just throwing an idea into the mix without considering all the possible scenarios. BTW, I wouldn't advocate SGID scripts, rather that the group of the user running the script could be used. Though as you say this may still allow far too much access. Mike
Re: sudo nopasswd rm
MikeG wrote on Tue, Mar 28, 2006 at 01:00:32PM +0100: > Marco Fretz wrote: >> i've got a little problem. i have to remove some files in a shell >> script that are not owned or writable by the user the shell script >> runs. > You only need write access to the directory to delete files (unless the > sticky bit is set). Make the dir writable by a group the shell script > runs as. IMHO, this is very bad advice (at least unless you know much more about the context of Marco's question). Directory write access is very powerful. It does not only allow to delete files, but also create new files, to change the ownership of files (by copying them and deleting the original) und thus ultimately to change the contents of all files in the directory. On top of that, depending on the context, it might be a bad idea to make the whole shell script SGID - this is a possible violation of the principle of least privilege. >> is there a way to give this user write access only to the files >> needed to remove by the shell script (with sudo nopasswd)? An alternative to using `sudo rm` directly might be to write a small C program calling unlink(2) as needed. You might either install this program SGID to a dedicated group or configure sudo in order to run it. It depends on your particular task whether this alternative is less error-prone, more to the point or just overkill. In any case, all this is hardly OpenBSD specific. -- Ingo Schwarze <[EMAIL PROTECTED]> http://www.usta.de/
Re: sudo nopasswd rm
Marco Fretz wrote: i've got a little problem. i have to remove some files in a shell script that or not owned or writable by the user the shell script runs. is there a way to give this user write access only to the files needed to remove by the shell script (with sudo nopasswd)? In addition to the other fine suggestions, consider writing script(s) which does the needed access, and *only* the needed access. Then configure sudo to give the user permissions to use the access script(s). Call the access script(s) from your existing script. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: sudo nopasswd rm
You only need write access to the directory to delete files (unless the sticky bit is set). Make the dir writable by a group the shell script runs as. Mike Marco Fretz wrote: hello i've got a little problem. i have to remove some files in a shell script that or not owned or writable by the user the shell script runs. is there a way to give this user write access only to the files needed to remove by the shell script (with sudo nopasswd)? thanks and kind regards marco
Re: sudo nopasswd rm
Marco Fretz wrote: hello i've got a little problem. i have to remove some files in a shell script that or not owned or writable by the user the shell script runs. is there a way to give this user write access only to the files needed to remove by the shell script (with sudo nopasswd)? With sudo, you can spell out very explicit command lines which can be stuck in scripts, but variations of the commands are not. For example: dvd ALL= NOPASSWD: /sbin/mount /drv0,/sbin/mount /drv1, /sbin/umount /drv0,/sbin/umount /drv1 So, yes, I suspect you can use sudo to accomplish your desired deletion, without granting write access to those files to the user in question. HOWEVER, be careful of "undesired side effects" -- holes you leave that a malicious user could use to their advantage. And don't assume my line above is very correct, I'm not a sudo expert and I can't recall how carefully I tested that. :) Nick.
