In the last episode (Jul 23), Gerald S. Stoller said: > > > > >From: Dan Nelson <[EMAIL PROTECTED]> > >To: Ryan Thompson <[EMAIL PROTECTED]> > >CC: "Gerald S. Stoller" <[EMAIL PROTECTED]>, [EMAIL PROTECTED], > >FreeBSD Questions <[EMAIL PROTECTED]> > >Subject: Re: set user-id > >Date: Tue, 22 Jul 2003 14:37:29 -0500 > > > >In the last episode (Jul 22), Ryan Thompson said: > >> If you *really* want to have suid scripts, your binary wrapper idea is > >> quite a common trick. Don't get fancy with it, though. A one-liner to > >> execve(2) should really be all you need. Either that, or re-code the > >> whole thing in C (or some other compiled language). C can introduce > >> insecurities of its own, but at least you'd (arguably) have put them > >> there yourself. :-) > > > >I use sudo for stuff like this. I add a line like this in sudoers: > > > I don't understand the next line! > >ALL ALL = NOPASSWD: /usr/local/bin/thescript > ??? Setting a variable?? Okay, invoking the script
The sudoers file has a really weird syntax, but what that means is that any user (the first ALL keyword) may run "thescript" as root on any machine (the second ALL keyword; this allows the same file to be replicated to multiple machines) without a password prompt (the NOPASSWD: keyword). > >>Well, why don't you just chmod 4755 /bin/ksh, then. :-D > with a slight change, I copied ksh to /bin with the name kshroot , > made sure > that the group on it is the group of root , and then did > chmod 4750 /bin/kshroot > Thus only the users who are 'close to' root (e.g., generally users who have > the > root password so they can become root if necessary) can run this shell > whenever > they need to act as root , and can use it in scripts (first line: > #!/bin/kshroot). Again > note that these scripts can only be invoked by users who are 'close to' > root. For the > other users, I'd have to use a sudo. That will work, too. -- Dan Nelson [EMAIL PROTECTED] _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"