On Tue, 13 Mar 2007, Kenneth Burgener wrote: > I got around to trying this today, but when I run my program I get an > error saying: > > [EMAIL PROTECTED] ~]# su -l myuser -c "/usr/myapp/myprogram" > "This account is currently not available."
What are the reasons why sudo isn't the preferred alternative? sudo doesn't require the target user to have a valid shell. sudo tries to drop potentially dangerous environment variables before giving control to the target command. sudo allows the issuer of the sudo command to control which shell (if any) will be used to interpret the given target command. And sudo has a fairly sophisticated (if complex) access control mechanism. Finally, if you're worried about at attacker escaping back to the privileged environment, I'd guess that "exec sudo ..." would provide some comfort. Sounds like a winner to me, so I'm wondering why it's unsuitable. (Did I miss something obvious?) Chris /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
