Quoting "James G. Sack (jim)" <[EMAIL PROTECTED]>:
sudo ./whoami.pl
Doesn't using sudo in that last step kinda negate the whole point? :)
BTW, the lack of setuid shell scripts led me to write a binary wrapper
awhile back at work. Probably the most in depth C code I've done
since school (not saying much.. 141 lines of code). But I put in my
own semi-security bits:
1. You have to have a specific primary gid (so, in theory, only
sysadmins can run it)
2. You can only give 1 arg: name of script to run as root
3. Script named in 2 must be in a specific path, owned and setuid root
too (path in AFS so it adds security through AFS acls). This is where
most of the real security comes in.
4. Everything syslogs
Getting #4 working right was actually the hardest part for me, had
never used any syslog calls before in a C program.
It's been very helpful in doing things to multiple hosts... added
bonus, if you write the script right, you can use the job dispatching
system to have the job pend (if needed) land on the host when a slot
becomes available, close the host so no new jobs start... then wait
until any other jobs are done and then do it's thing. Very helpful
for kicking off pxe initiated OS updates that work around the users
jobs. :)
--
Mike Marion-Unix/Linux Admin-http://www.miguelito.org
"Curiosity is the very basis of education and if you tell me that
curiosity killed the cat, I say only the cat died nobly."
- Arnold Edinborough
--
KPLUG-List@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
