Re: debian: user-request-daemon (it could solve some problems)
On Tue, Feb 27, 2007 at 04:17:10AM +0100, Curt Manucredo wrote:
> i could never imagine that it is possible to call a command and then
> have root rights for it, without authentificating on the system with a
> password. so i thought a daemon running as root might solve that problem
> (which i thought it does exist) ;-). but since today i can not imagine
> how sudo is doing that - it might be very difficult to explain since i
> couldn't find an explantion on the net.
> so, how is sudo doing this auth-job, even with no
> password-verification. how does sudo treat the system?
/etc/sudoers tells sudo who is allowed to do what, who needs to give a
password or not, and so on. The 'sudo' command itself is a setuid binary,
which means that even when run as an ordinary user, the program has the
rights of it's owner -- in this case root -- and can therefore do anything
that root can do.
Yes, exploitable setuid programs are a big security risk. But they're
invaluable in cases like sudo.
- Matt
Reply to: