just my <$0.02>
running scripts with the suid bit set is a security hole. It shouldn't be allowed (by design). I'm not sure if there is a kernel option to allow it. IMHO, it's a bug if it does. Limiting the user to sudo the single script should be ok as long as they cannot modify the script, the path to the interpreter (bash, perl, whatever) is literal (no env, or ~/ etc), and the interpreter and any libraries that it can pull in are not writable or modifiable to the user. You have to look out for other things though. For example, for python scripts, one can change the PYTHONPATH environment vars to pull in user rougue libs, instead of libs elsewhere on the system. I also wonder whether, as a regular user, it is possible to sudo, chroot, then run the script to call some other program as the interpreter. There has to be some level of trust when allowing sudo. You basically guard against the accident, but it is very hard to guard against the intentional. namaste, Mark On Tue, 15 Feb 2005, Analabha Roy wrote: > Date: Tue, 15 Feb 2005 06:16:15 -0600 > From: Analabha Roy <[EMAIL PROTECTED]> > To: siglinux <[email protected]> > Subject: Re: [Siglinux] User needs to run script 'as root' > > -----Forwarded Message----- > > > From: Analabha Roy <[EMAIL PROTECTED]> > > To: Daniel Brown <[EMAIL PROTECTED]> > > Subject: Re: [Siglinux] User needs to run script 'as root' > > Date: Tue, 15 Feb 2005 06:15:53 -0600 > > > > On Tue, 2005-02-15 at 06:10, Daniel Brown wrote: > > > > > On Mon, February 14, 2005 20:48, Analabha Roy said: > > > > On Mon, 2005-02-14 at 20:29, Daniel Brown wrote: > > > > > > > >> On Mon, Feb 14, 2005 at 03:19:53PM -0600, Doug McLaren wrote: > > > >> > On Mon, Feb 14, 2005 at 03:12:06PM -0600, Alfonso Lopez wrote: > > > >> > > > > >> > | I have a script that sets up my wireless connection for me, using a > > > >> > | variety of root only commands. I would like to have my users be > > > >> > able > > > >> to > > > >> > | run it. Changing the permissions to allow executions doesn't do > > > >> > the > > > >> > | trick since the script calls ifconfig/iwconfig etc. > > > >> > > > > >> > Google for `sudo' or `super'. You may even have one of them > > > >> > installed > > > >> > already. > > > >> > > > >> I use sudo to execute the scripts I wrote to manage my wireless > > > >> connection. :P > > > > > > > > Is that a good idea? I mean, sudo means that anybody in the sudoers list > > > > can execute ur script with root privs w/out the root passwd, is that > > > > wise? > > > > > > sudo can be very restrictive. In /etc/sudoers you can specific which users > > > can run which commands with which arguments. I normally don't use the > > > sudo-for-everything configuration. > > > > > > > Why not use kdesu instead? Just add a line "kdesu -c "/path-to-script" > > > > and all u have to do is enter the root password when the GUI prompt > > > > shows up. > > > > > > Prompts break automation. I'd rather have a script that runs silently (and > > > doesn't depend on a windowing environment). > > > > > > > It's what I do, I'm just not too comfortable with sudo. In fact, the > > > > only file that I have sudoed is the "su" binary itself (can't do without > > > > THAT, heh). > > > > > > Hmm, I think there is a different way to do that. If you are on gentoo, > > > add your user to the wheel group to give them permission to run su. > > > sudo->su seems excessive. > > > > > > > Ya, but do I have to do that to the daemon users also, or just the > actual ones? > > > > > > > > > > > > > > > danb > > > > > > > > > > ______________________________________________________________________ > > Analabha Roy Graduate Student > > > > Department Of Physics, University of Texas, 1 University Station > > C1600, Austin, Texas 78712-0264, United States emails: > > [EMAIL PROTECTED], Home Page: > > http://www.ph.utexas.edu/~daneel > > > > Get Firefox! > > > > ______________________________________________________________________ > > > ________________________________________________________________________ > Analabha Roy Graduate Student > Department Of Physics, University of Texas, 1 University Station C1600, > Austin, Texas 78712-0264, United States emails: > [EMAIL PROTECTED], Home Page: http://www.ph.utexas.edu/~daneel > Get Firefox! > ________________________________________________________________________ > _______________________________________________ > Siglinux mailing list > [email protected] > http://www.utacm.org:81/mailman/listinfo/siglinux > _______________________________________________ Siglinux mailing list [email protected] http://www.utacm.org:81/mailman/listinfo/siglinux
