David Boyes wrote:
OOOOOOOOOOOO now I see said the blind man.
I was hoping to make it very,very simple
Suggestion: Write some small scripts with the command names you want,
stash them somewhere, and have the aliases call those scripts. You can
then authorize appropriately in sudoers. Also lets it warn you when J.
Random Luser decides to do something stupid.
You can also authorise a directory, say /usr/local/operators/bin
The scripts in that directory can do whatever their author deems
appropriate, so you'd want to be able to change its contents, but the
operator(s) would only be able to execute (maybe not list the directory,
and certainly not list the contents of files).
Review whether apparmour or selinux can assist with securing access;
note that once the user's said "sudo" they are root, but maybe the
security can see that it's operator who's become root.
Permissions 700, owner root on the scripts is fine, by the time it
matters the user's root.
Take care with any user input, lest you open a hole. Perl with taint is
good.
In a shell script, my first cut would be something like this:
goodchars='[-a-z][0-9]/ '
TP1=$(echo -n "$1" | tr -d "${goodchars}")
[ -n "${TP1}" ] && {echo Invalid input; exit; }
You might want more in goodchars, but you don't want any of these:-
"<>&;\\\n\r", and don't assume that list is exhaustive.
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
