Re: set user-id
From: Dan Nelson (dnelson_at_allantgroup.com)
Date: 07/23/03
- Previous message: oremanj_at_get-linux.org: "Re: Installing FreeBSD onto Vinum-volumes?"
- In reply to: Gerald S. Stoller: "Re: set user-id"
- Next in thread: Gerald S. Stoller: "Re: set user-id"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Jul 2003 14:23:05 -0500 To: "Gerald S. Stoller" <gs_stoller@hotmail.com>
In the last episode (Jul 23), Gerald S. Stoller said:
>
>
>
> >From: Dan Nelson <dnelson@allantgroup.com>
> >To: Ryan Thompson <ryan@sasknow.com>
> >CC: "Gerald S. Stoller" <gs_stoller@hotmail.com>, vze25pmf@verizon.net,
> >FreeBSD Questions <freebsd-questions@freebsd.org>
> >Subject: Re: set user-id
> >Date: Tue, 22 Jul 2003 14:37:29 -0500
> >
> >In the last episode (Jul 22), Ryan Thompson said:
> >> If you *really* want to have suid scripts, your binary wrapper idea is
> >> quite a common trick. Don't get fancy with it, though. A one-liner to
> >> execve(2) should really be all you need. Either that, or re-code the
> >> whole thing in C (or some other compiled language). C can introduce
> >> insecurities of its own, but at least you'd (arguably) have put them
> >> there yourself. :-)
> >
> >I use sudo for stuff like this. I add a line like this in sudoers:
> >
> I don't understand the next line!
> >ALL ALL = NOPASSWD: /usr/local/bin/thescript
> ??? Setting a variable?? Okay, invoking the script
The sudoers file has a really weird syntax, but what that means is that
any user (the first ALL keyword) may run "thescript" as root on any
machine (the second ALL keyword; this allows the same file to be
replicated to multiple machines) without a password prompt (the
NOPASSWD: keyword).
> >>Well, why don't you just chmod 4755 /bin/ksh, then. :-D
> with a slight change, I copied ksh to /bin with the name kshroot ,
> made sure
> that the group on it is the group of root , and then did
> chmod 4750 /bin/kshroot
> Thus only the users who are 'close to' root (e.g., generally users who have
> the
> root password so they can become root if necessary) can run this shell
> whenever
> they need to act as root , and can use it in scripts (first line:
> #!/bin/kshroot). Again
> note that these scripts can only be invoked by users who are 'close to'
> root. For the
> other users, I'd have to use a sudo.
That will work, too.
-- Dan Nelson dnelson@allantgroup.com _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: oremanj_at_get-linux.org: "Re: Installing FreeBSD onto Vinum-volumes?"
- In reply to: Gerald S. Stoller: "Re: set user-id"
- Next in thread: Gerald S. Stoller: "Re: set user-id"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
