Re: Updating files in /etc Remotely (and automated)
On Sun, Sep 12, 2010 at 10:58:22PM +0100, Steve Kemp wrote:
> On Sun Sep 12, 2010 at 16:24:59 -0400, Rob Owens wrote:
>
> > If you run "sudo somescript", then the script runs as root, so every
> > command inside it will run as root.
> > I think it is generally considered smarter, security-wise, to
> > run "somescript" and then include "sudo" inside the script as
> > necessary.
>
> I believe that makes sense in an objective way, but I've never
> seen that defined as a "best practise", and your example fails
> in a way that suggests you've not done it that way yourself.
>
>
> > sudo ls /root/*
>
> Fails. Why? Because _your_ shell does the expansion, before
> passing to sudo.
>
> For example compare these two command and outputs:
>
> skx@birthday:~$ sudo ls /root/*
> skx@birthday:~$
> skx@birthday:~$ sudo ls /root/
> Desktop
> skx@birthday:~$
>
Correct, I didn't test that script myself. It was intended as an
example to clarify my explanation.
Regarding best practice:
If you run your entire script as root, then you introduce the
possibility that someone could cause your script to crash in such a way
that it gives the attacker root access. How? I'm not sure, but if you
run the script as a regular user you can avoid the possibility that
somebody else figures out how.
I'd say it's probably analagous to running services as a non-privileged
user. It's best to do it if you can, because it removes a lot of "what
if" scenarios.
-Rob
Reply to: