[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /sys/power/state question with sudoers!

On Sun, Aug 19, 2007 at 07:56:07PM +0300, Andrei Popescu wrote:
> On Sun, Aug 19, 2007 at 07:09:29AM -0800, Ken Irving wrote:
>  
> > > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE"
> > > > 
> > > > So, you can do it in on command, sudo is lauching a shell, which is 
> > > > responsible of redirections, pipes, chaining commands...
> > > 
> > > Please correct me if I'm wrong, but this defeats the purpose of 
> > > restricting sudo to a certain set of commands.
> > 
> > The command here is 'sh', so this could be restricted as usual.
> 
> Of course you could, but if you're able to run sh what prevents you from 
> using it to run anything else?

I'm probably misunderstanding something (not sure what the OP's question
was), but my point was just that you can prevent someone from running
sh in the first place -- i.e., they wouldn't be able to do the above
operation.

Any command/program that is allowed to be run under sudo could be misused
if it allows the user to run a shell from within that program.

I don't have much experience with using sudo to *carefully* grant
privileges to untrusted users, but I would think one could put something
like the above in a script which the user is allowed to run (as I think
someone else may have suggested).

Ken

-- 
Ken Irving, fnkci+debianuser@uaf.edu
Reply to: