Re: /sys/power/state question with sudoers!

On Sun, Aug 19, 2007 at 07:56:07PM +0300, Andrei Popescu wrote:
> On Sun, Aug 19, 2007 at 07:09:29AM -0800, Ken Irving wrote:
>
> > > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE"
> > > >
> > > > So, you can do it in on command, sudo is lauching a shell, which is
> > > > responsible of redirections, pipes, chaining commands...
> > >
> > > Please correct me if I'm wrong, but this defeats the purpose of
> > > restricting sudo to a certain set of commands.
> >
> > The command here is 'sh', so this could be restricted as usual.
>
> Of course you could, but if you're able to run sh what prevents you from
> using it to run anything else?

I'm probably misunderstanding something (not sure what the OP's question was), but my point was just that you can prevent someone from running sh in the first place -- i.e., they wouldn't be able to do the above operation.

Any command/program that is allowed to be run under sudo could be misused if it allows the user to run a shell from within that program.

I don't have much experience with using sudo to *carefully* grant privileges to untrusted users, but I would think one could put something like the above in a script which the user is allowed to run (as I think someone else may have suggested).

Ken

-- 
Ken Irving, fnkci+debianuser@uaf.edu


-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org