I don't understand what practical difference the use of 
ENABLE_CMD_SUDO_EXEC makes.  Without it, fwknopd changes uid to the 
CMD_EXEC_USER, gid to CMD__EXEC_GROUP and tries to run the given 
command.  With it, fwknopd runs, as root,
sudo -u sudo_cmd_user -g sudo_cmd_group command
Either way, it looks as if the command will be run if the user has 
permission to run it and otherwise not.  Perhaps there is something that 
can be done in /etc/sudoers to change this behavior, but I don't 
immediately see what it would be, and in any case it would have to 
change the permissions of root under sudo, which could have 
repercussions elsewhere.

Wouldn't it be better to change the uid and gid to the exec user and 
group and then run
sudo -n command  ?
That way, it would only be possible to run commands that /etc/sudoers 
gives the exec user explicit permission to run without a password.

For instance, the user nobody has permission to run the date command, 
but not to run "sudo date" unless /etc/sudoers has had a line inserted 
to permit it.

Stephen Isard

Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Fwknop-discuss mailing list

Reply via email to