[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: VI wrapper for SUDO? - another bad way ??

Alvin Oga writes:
>if that sh script is called sucpaliases...
>you cannot(should not) put "sudo sucpaliases" inside of it
>	- infinite recursion...

Of course not.  The script I wrote is "editaliases" and inside that
script, your "sucpaliases" is called.

>-- another simpler way is to make /etc/aliases group writable
>   and newaliases for sudo by certain users
>	-- good and bad idea..
>
>-- and you can put /etc/aliases into cvs control tooo

These ideas are OK for some things, not for others.  Sendmail is picky
about the ownership and permissions on certain files.

>-- c code is subject to buffer overflow problems...
>-- scripts are susceptable to environment variables changing...

Right - but I think the former is easier to thwart.  Don't most Linux
systems prohibit setuid shell scripts, for example?

>-- in either case...  you have to trust your users that run the
>   scripts/apps to replace  /etc/aliases w/o giving um root access

Of course, the idea is to give certain permissions to certain users
without giving away the farm.  That's what sudo's all about.

--Bill.

-- 
William R Ward            bill@wards.net          http://www.wards.net/~bill/
-----------------------------------------------------------------------------
     If you're not part of the solution, you're part of the precipitate.
Reply to: