[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Leafnode permissions



On Mon, 2 Jun 1997, Brian Skreeg wrote:

> I`m using leafnode from 1.2.8 Iconnect CD. A damn good prog for dial-up
> stuff and much easier to use than the heavier cnews and INN. <My problem
> comes from the permissions. I want to be able to "fetch" news using
> my personal account "oz" but no matter how I setuid the /usr/sbin/fetch
> program it always says the following;
> 
> /usr/sbin/fetch: must be run as news or root
> 
> I`m not too hot at the setuid business but I`ve tried various configurations
> and can`t get it to accept being run from anything other than "news".

try setting up sudo to allow oz to run /usr/sbin/fetch as root.

then (as oz), you can run "sudo /usr/sbin/fetch".

If you put oz in group sudo (edit /etc/groups), then oz wont even need to
enter the root password to run it.

You can also do the same thing with 'super', which is another package which
allows certain users to run certain commands as root (or as another uid)

See the documentation for sudo and/or super for more details.  

Also, there are security concerns with any setuid programs, and you
shouldn't just blindly follow random advice from the net - the only way
to trust your system's security setup is to understand it.




Another (uglier) method would be to have a cron job running as news which
checks for the existence of a file called '/tmp/fetchnews/fetch.news.now'.
if it exists, then 'rm -f /tmp/fetchnews/fetch.news.now' and run
/usr/sbin/fetch.

You'll have to experiment with the permissions to allow oz to create the
file and news delete it....e.g. /tmp/fetchnews could be a subdirectory
owned by oz, group news, setgid and writable by owner & group

    mkdir /tmp/fetchnews
    chown oz.news /tmp/fetchnews
    chmod 4775 /tmp/fetchnews

should do it.

Get cron to run this every minute while you're testing the setup and
when it's working properly, change it to something more reasonable (like
every 5 or 10 minutes).

Then, all oz needs to do is 'touch /tmp/fetchnews/fetch.news.now' (which
could be put into a shell script or bash alias), and the news will be
fetched the next time the cron job runs.


craig

--
craig sanders
networking consultant                  Available for casual or contract
temporary autonomous zone              system administration tasks.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .


Reply to: