Re: debian: user-request-daemon (it could solve some problems)
On Thu, Feb 15, 2007 at 05:34:56PM +0100, Curt Manucredo wrote:
> On Thu, 15 Feb 2007 14:52:03 +0000
> Anton Piatek <firstname.lastname@example.org> wrote:
> > Curt Manucredo wrote:
> > > dear mentors and members
> > >
> > > so this is the attempt to gain help from you! if you wish to have a
> > > copy of this program, please say so.
> > > the description of the 3 executable follows:
> > >
> > > *urequestd* can be called a *virtual super user*. it gets
> > > started on system bootup and awaits requests from the *urequest
> > > client* program. *urequestd* looks up the everybodys accessable
> > > fifo-file */var/opt/urequestd* and in case it finds *urequest*
> > > in */proc/$pid_of_urequest* and can make sure that the request
> > > comes from an urequest instance, it will execute the request and
> > > orphans it into background sendig the pid ot this process back to
> > > the request client. since urequestd does not execute any process
> > > unless it comes from an urequest-client, all verifications are done
> > > in the urequest client program. this includes user and group
> > > verification as well as checking if the request even exists.
> > >
> > > *urequest* is part of the urequest daemon package. it makes it
> > > possible for any user to *call a command*
> > > without the need for *root-rights*. to make this possible
> > > a rule-file has to be created under */etc/urequestd/rules/*. it must
> > > be a bash-script, set executable and having the file-extenstion
> > > *.rule*. to then make a normal user able to call such a request
> > > the user must be added with the *urequestp utility* as an authorized
> > > user. it is also possible to add a group to the rule to make a punsh
> > > of users able to call a rule.
> > > ps: i am not subscribed to this list, please cc me!
> > How is this different from sudo?
> well. i don't know how sudo works, but as far as i know it needs a
> password-verification. with urequest you don't. this is not unsafe in
> my opinion since i use urequestd to wvdial for example or for the
> hibernate package or to ifupdown any iface with no need to enter a
> password. on the other hand with sudo anyone can call every command.
> with urequestd it is restricted to just those rules which are present.
> so for example: if your user-account is a memeber of dialout the
> wvdial-rule will run for you, as long as you add the group dialout to
> it. i dont say urequestd can replace sudo or su (it is not intended
> for that), but i believe it could replace setuid. as far as i can see
> wodim and pmount would be two great candidates for this! are they not?
> so here is my question: does sudo work the same way as urequestd? did i
> reinvent the wheel?
> thank you for your reply .
You can configure sure to allow only some commands and to not ask for a
password. sudo can do all you do with urequestd. According to your
description. I havent checked urequestd myself.
IMO you reinvented the wheel (in a more then complicated way).
.''`. | Michael Koch <email@example.com>
: :' : | Free Java Developer <http://www.classpath.org>
`. `' |
`- | 1024D/BAC5 4B28 D436 95E6 F2E0 BD11 5923 A008 2763 483B