On Fri, 14 Oct 2016, Michael Rash michael.rash-at-gmail.com |fwknop| wrote:
I need to double check
that '-u <user>' doesn't apply the user policy even though the invoking
user is root?

The sudoers man page on my system says:
Unlike su(1), when sudoers requires authentication, it validates the invoking user’s credentials, not the target user’s (or root’s) credentials. This can be changed via the rootpw, targetpw and runaspw flags, described later.
In the case of fwknopd running as root, the invoking user is root. I imagine that sudo is basically similar on most systems, but I don't really know.

If this is correct, then yes fwknopd should setuid() first.
Actually it might as well do that anyway I suppose.

If you setuid() to username, then -u username becomes redundant as an argument to sudo. Also, if you want to run sudo after setting uid to username in this context, it is important to use sudo -n (don't ask for a password) or fwknopd will hang while sudo waits for a password that the user can't supply. In the case of a user like nobody, no password even exists.

Stephen Isard
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Fwknop-discuss mailing list

Reply via email to