You are right, ksh script won't work -- BUT a compiled C program does work, with SUID.
Don France Technical Architect -- Tivoli Certified Consultant San Jose, Ca (408) 257-3037 mailto:[EMAIL PROTECTED] Professional Association of Contract Employees (P.A.C.E. -- www.pacepros.com) -----Original Message----- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED]]On Behalf Of Gerald Wichmann Sent: Thursday, May 16, 2002 10:15 AM To: [EMAIL PROTECTED] Subject: Re: dsmc sched as another user Ya good point and I thought of that. Fortunately it's not a big issue here. The later suggestion about creating a program and setting SUID doesn't work. At least not a ksh script..That was the first thing I tried. So far only sudo works.. Regards, Gerald Wichmann Senior Systems Development Engineer Zantaz, Inc. 925.598.3099 (w) -----Original Message----- From: Thomas Denier [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 8:34 AM To: [EMAIL PROTECTED] Subject: Re: dsmc sched as another user > Try using sudo. > You can allow your non-root user execute only the dsmc command as root. I think this would allow the non-root user to execute dsmc as root with any operands, not just the 'sched' operand. This would be a serious security exposure. The non-root user could replace any file on the system with a copy of a different file or with an older version of the same file. If the non-root user had root permission on any other Unix client system the user could back up an arbitrary file there and restore it on the system where he or she was a non-root user. As far as I know, the only really safe way to do this is to write a program specifically to start the scheduler and make that program root owned, SUID, and executable by the user who needs to start the scheduler. Many Unix systems even today have a bug that makes SUID scripts dangerous. Unless you are certain that this bug is fixed on your system you will need to write the program in C or some other compiled language.
