On Tuesday 11 July 2006 02:41, Rob van der Heij wrote:
>On 7/11/06, Rick Troth <[EMAIL PROTECTED]> wrote:
>> Consider what Kris said about the '-i' flag on 'sudo'.
>
>It appears there's no such flag in the sudo that I have with SuSE so I
>can't tell.
I like using sudo to control root access for admins, but using it to grant
permissions to ordinary users is still a bit sketchy. That -i option fixes
some of the problems, but it's not in SuSE 8 or 9, but that's not the worst
of it. I was shocked when I discovered that it does not change the PATH
environment variable by default, which means you really can't let a user run
any process that might exec another program. That means no shell scripts.
Even the "env_reset" option does not override the user's PATH, you have to
build it with a compile-time "SECURE_PATH" option, which for some reason is
not the default.
The easiest solution is probably a wrapper script that resets the environment
and runs the command you want. Perhaps something like this will work:
#! /bin/bash
# Wrapper script for Apache init script to be invoked by sudo
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
# Only allow the superuser to use this.
if [ "`whoami`" != "root" ]
then echo >&2 "You must use sudo to run this command."
exit 1
fi
# Now invoke the Apache init script.
/etc/init.d/apache "$@"
Put that into something like /usr/bin/apache, and add the line:
%clientgroup ALL = /usr/bin/apache *
to /etc/sudoers to let anyone in the "clientgroup" run that wrapper script
with any arguments. This is pretty secure because it locks down the PATH.
If you have to worry about people modifying this script or the various
configuration files read by /etc/init.d/apache, then this script would be the
least of your problems. :-)
- MacK.
-----
Edmund R. MacKenty
Software Architect
Rocket Software, Inc.
Newton, MA USA
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
