Command specific SUDO

Command specific SUDO

Post by Jo » Sat, 12 Jul 2003 05:27:48



Hello, We're trying to implement command specific sudo for better audit trail.

An example,   Instead of
$hostname> sudo su - busch
$hostname> /bin/cp <filenmame> /tmp/filename,  we will be using

$hostname>sudo -u busch /bin/cp <filename> /tmp/.

This works quite well except when we tried to source a profile.

For E-x

I can do this ...
$hostname>sudo su - busch
$hostname>. /home/busch/profile/xfer.profile

but i cannot do this

$hostname> sudo -u busch . /home/busch/profile/xfer.profile.

Can I have some help from SUDO guru's please ?

Regards
JoeMrit

 
 
 

Command specific SUDO

Post by all mail refus » Sat, 12 Jul 2003 05:42:42



>Hello, We're trying to implement command specific sudo for better audit trail.
>I can do this ...
>$hostname>sudo su - busch
>$hostname>. /home/busch/profile/xfer.profile

>but i cannot do this
>$hostname> sudo -u busch . /home/busch/profile/xfer.profile.

If you allow shell access - or running files writable by someone (such as
the caller) who may not be cooperating with your audit objective - you have
lost.

Better is to allow sudo to run some script (maybe perl for the tainting)
that is writable only by root and reads config files writable only by root.
If you can't squeeze your tasks into that structure I think you might be
better off admitting you provide arbitary access and retaining the current
practice.

--


 
 
 

Command specific SUDO

Post by all mail refus » Sun, 13 Jul 2003 05:56:54




>> Better is to allow sudo to run some script (maybe perl for the
>> tainting) that is writable only by root and reads config files
>> writable only by root.

>I would think that this approach would suffer the same problems as
>setuid shell scripts.

Starting scripts via sudo takes care of much of the environment and
of the startup issues (signals and file races).  Typical shell scripts have
an uncomfortable degree of reliance on external programs but, with work,
you can do a great deal better than setuid shell scripts and you can hardly
do worse.

--

 
 
 

Command specific SUDO

Post by John Prathe » Wed, 16 Jul 2003 07:25:34


Joe,

Quote:>$hostname>sudo su - busch
>$hostname>. /home/busch/profile/xfer.profile

You have already given your user access to sudo "su - busch".  Once you
are in a shell, (busch's) you can do as you wish as that user.

Quote:>but i cannot do this

>$hostname> sudo -u busch . /home/busch/profile/xfer.profile.

Sudo is being run, you are not yet in a shell.  Sudo checks if you can
run requested command.  Chances are you have not put ".
/home/busch/profile/xfer.profile" in your sudoers file as another
command (like su - busch) which your user can run as user busch.

Sudo is pretty literal about arguments you pass to it, and anything you
want to be able to work by typing sudo at the beginning of a line, you
will need to put into your sudoers file.

Good luck!

-John

 
 
 

1. sudo rights on a specific subdirectory

Does anybody know how to give a user sudo rights on a specific folder.

My problem is that I need to give a user root rights on a single folder, because he is administrating a set of tools. He must be able to install databases and other applications spontaniusly...

I'd appriciate any suggestions.

///Niclas Grimskar
Sysadmin, Ericsson Software Technology AB

2. Help! No X-Windows, no mouse (slackware AND red hat)

3. Can sudo restrict me to only rm files owned by a specific user?

4. Problem using Qt library

5. help needed for sudo, can't find sudo.log

6. Solaris 10 patch cluster

7. sudo command

8. NexGen586

9. SUDO - how do you run a command that can be located anywhere (how to use wildcards)

10. sudo several commands?

11. running sudo commands from cron

12. User executing command with sudo

13. sudo and command line protection.