Hello, I don't understand what practical difference the use of ENABLE_CMD_SUDO_EXEC makes. Without it, fwknopd changes uid to the CMD_EXEC_USER, gid to CMD__EXEC_GROUP and tries to run the given command. With it, fwknopd runs, as root, sudo -u sudo_cmd_user -g sudo_cmd_group command Either way, it looks as if the command will be run if the user has permission to run it and otherwise not. Perhaps there is something that can be done in /etc/sudoers to change this behavior, but I don't immediately see what it would be, and in any case it would have to change the permissions of root under sudo, which could have repercussions elsewhere.
Wouldn't it be better to change the uid and gid to the exec user and group and then run sudo -n command ? That way, it would only be possible to run commands that /etc/sudoers gives the exec user explicit permission to run without a password. For instance, the user nobody has permission to run the date command, but not to run "sudo date" unless /etc/sudoers has had a line inserted to permit it. Stephen Isard ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
