Re: [Fwknop-discuss] use of ENABLE_CMD_SUDO_EXEC

Tue, 18 Oct 2016 05:32:12 -0700 

On Fri, Oct 14, 2016 at 11:17 AM, Stephen Isard <xkyr47r...@snkmail.com>
wrote:

> On Fri, 14 Oct 2016, Michael Rash michael.rash-at-gmail.com |fwknop|
> wrote:
> ...
>
>> I need to double check
>> that '-u <user>' doesn't apply the user policy even though the invoking
>> user is root?
>>
>
> The sudoers man page on my system says:
> ------------
> Unlike su(1), when sudoers requires authentication, it validates the
> invoking user’s credentials, not the target user’s (or root’s)
> credentials.  This can be changed via the rootpw, targetpw and runaspw
> flags, described later.
> -----------
> In the case of fwknopd running as root, the invoking user is root.  I
> imagine that sudo is basically similar on most systems, but I don't really
> know.
>
> If this is correct, then yes fwknopd should setuid() first.
>> Actually it might as well do that anyway I suppose.
>>
>
> If you setuid() to username, then -u username becomes redundant as an
> argument to sudo.  Also, if you want to run sudo after setting uid to
> username in this context, it is important to use sudo -n (don't ask for a
> password) or fwknopd will hang while sudo waits for a password that the
> user can't supply.  In the case of a user like nobody, no password even
> exists.


Understood. I've opened issue #237 to make sure this is fixed for 2.6.10.

Thanks,

--Mike



>
>
> Stephen Isard
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Reply via email to