Re: [Fwd: Re: shutdown/halt as user]

To: Jason Ramey <rameyj@ka.net>
Cc: debian-user@lists.debian.org
Subject: Re: [Fwd: Re: shutdown/halt as user]
From: Anthony DeRobertis <asd@suespammers.org>
Date: Wed, 13 Feb 2002 20:04:14 -0500
Message-id: <[🔎] C360360F-20E6-11D6-AADB-00039355CFA6@suespammers.org>
In-reply-to: <[🔎] 1013625838.438.16.camel@apollo.ka.net>


On Wednesday, February 13, 2002, at 01:43 PM, Jason Ramey wrote:

correct, an example is as follows:

puck    ALL= NOPASSWD: /usr/bin/pico -w /etc/bind/[A-z]*

I'm letting puck edit anything in /etc/bind/ using sudo, no password
required. this should fit your needs.

Remember that most editors let you do interesting things. Likeopen arbitrary files. Or execute shell commands. I'm not sureabout pico, but imagine the fun you can have by opening/etc/shadow or /etc/passwd. Wow, puck now has uid 0 ;-)

Also, at least vi will let you run commands of your choice. Picomight even.

I'd _strongly_ suggest doing something like this, assuming youneed to use sudo (for logging, for example). Write a C/perlprogram that:


	1) Copies the file (securely) to something in /tmp
	2) forks
		child:
		  1) Drop all priveleges
		  2) Spawn user's $VISUAL or $EDITOR.
	3) Wait for child process to die
	4) If successful, install change.

This way, the editor (which you shouldn't trust) never runs withprivileges.

Reply to:

Follow-Ups:
- Re: [Fwd: Re: shutdown/halt as user]
  - From: Jason Ramey <rameyj@ka.net>

References:
- [Fwd: Re: shutdown/halt as user]
  - From: Jason Ramey <rameyj@ka.net>

Prev by Date: Re: floppy tape
Next by Date: Re: mouse freezing
Previous by thread: [Fwd: Re: shutdown/halt as user]
Next by thread: Re: [Fwd: Re: shutdown/halt as user]
Index(es):
- Date
- Thread