Re: debian: user-request-daemon (it could solve some problems)

To: debian-mentors@lists.debian.org
Cc: curtm2@yahoo.de
Subject: Re: debian: user-request-daemon (it could solve some problems)
From: Matthew Palmer <mpalmer@debian.org>
Date: Wed, 28 Feb 2007 07:36:54 +1100
Message-id: <[🔎] 20070227203654.GA2009@hezmatt.org>
Mail-followup-to: debian-mentors@lists.debian.org, curtm2@yahoo.de
In-reply-to: <[🔎] 20070227041710.52e91541@phaethon>
References: <[🔎] 20070215142826.036370e8@phaethon> <[🔎] 45D47393.5010708@piatek.co.uk> <[🔎] 20070215173456.62fefce1@phaethon> <[🔎] 45D566FA.4080108@piatek.co.uk> <[🔎] 20070226202954.GM3386@yuggoth.org> <[🔎] 20070227041710.52e91541@phaethon>

On Tue, Feb 27, 2007 at 04:17:10AM +0100, Curt Manucredo wrote:
> i could never imagine that it is possible to call a command and then
> have root rights for it, without authentificating on the system with a
> password. so i thought a daemon running as root might solve that problem
> (which i thought it does exist) ;-). but since today i can not imagine
> how sudo is doing that - it might be very difficult to explain since i
> couldn't find an explantion on the net.
> so, how is sudo doing this auth-job, even with no
> password-verification. how does sudo treat the system?

/etc/sudoers tells sudo who is allowed to do what, who needs to give a
password or not, and so on.  The 'sudo' command itself is a setuid binary,
which means that even when run as an ordinary user, the program has the
rights of it's owner -- in this case root -- and can therefore do anything
that root can do.

Yes, exploitable setuid programs are a big security risk.  But they're
invaluable in cases like sudo.

- Matt

Reply to:

References:
- debian: user-request-daemon (it could solve some problems)
  - From: Curt Manucredo <curtm2@yahoo.de>
- Re: debian: user-request-daemon (it could solve some problems)
  - From: Anton Piatek <anton@piatek.co.uk>
- Re: debian: user-request-daemon (it could solve some problems)
  - From: Curt Manucredo <curtm2@yahoo.de>
- Re: debian: user-request-daemon (it could solve some problems)
  - From: Anton Piatek <anton@piatek.co.uk>
- Re: debian: user-request-daemon (it could solve some problems)
  - From: The Fungi <fungi@yuggoth.org>
- Re: debian: user-request-daemon (it could solve some problems)
  - From: Curt Manucredo <curtm2@yahoo.de>

Prev by Date: Re: RFS: docbook-xsl 1.72.0.dfsg.1-1 and docbook2x 0.8.7-1
Next by Date: Re: debian: user-request-daemon (it could solve some problems)
Previous by thread: Re: debian: user-request-daemon (it could solve some problems)
Next by thread: Re: debian: user-request-daemon (it could solve some problems)
Index(es):
- Date
- Thread