Hosting Provided By

Re: /sys/power/state question with sudoers!

From: Andrei Popescu <andreimpopescu(at)gmail.com>
Date: Sun Aug 19 2007 - 16:41:39 EDT

On Sun, Aug 19, 2007 at 09:53:20AM -0800, Ken Irving wrote:
> On Sun, Aug 19, 2007 at 07:56:07PM +0300, Andrei Popescu wrote:
> > On Sun, Aug 19, 2007 at 07:09:29AM -0800, Ken Irving wrote:
> >
> > > > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE"
> > > > >
> > > > > So, you can do it in on command, sudo is lauching a shell, which is
> > > > > responsible of redirections, pipes, chaining commands...
> > > >
> > > > Please correct me if I'm wrong, but this defeats the purpose of
> > > > restricting sudo to a certain set of commands.
> > >
> > > The command here is 'sh', so this could be restricted as usual.
> >
> > Of course you could, but if you're able to run sh what prevents you from
> > using it to run anything else?
>
> I'm probably misunderstanding something (not sure what the OP's question
> was), but my point was just that you can prevent someone from running
> sh in the first place -- i.e., they wouldn't be able to do the above
> operation.

Probably I misunderstood what you meant. The OP was asking for a method to use sudo to allow only certain operations.

> Any command/program that is allowed to be run under sudo could be misused
> if it allows the user to run a shell from within that program.

Yep

> I don't have much experience with using sudo to *carefully* grant
> privileges to untrusted users, but I would think one could put something
> like the above in a script which the user is allowed to run (as I think
> someone else may have suggested).

Yes, that should work, and seems to me like the best way to achieve the desired result.

Regards,
Andrei

-- 
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

-- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

application/pgp-signature attachment: Digital signature

Received on Sun Aug 19 16:42:20 2007

Do you need help?

This message: [ Message body ]
Next message: Florian Kulzer: "Re: Re^2: Lenny, X, dead mouse"
Previous message: Douglas A. Tutty: "Re: bash vs. python scripts - which one is better?"
In reply to: Ken Irving: "Re: /sys/power/state question with sudoers!"
Next in thread: Gnu_Raiz: "Re: /sys/power/state question with sudoers!"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 07 2007 - 02:28:49 EDT