FW: Read all files on a given system? (sudo wrapper/sudo shell)
Howard Owen
hbo at egbok.com
Fri May 17 12:53:25 EDT 2002
--On Friday, May 17, 2002 09:59:03 AM -0500 "King, Daniel"
<Daniel.King at fiserv.com> wrote:
> Drat, drat, drat. Sudoscript looks good - for what it does. The tidy
> script is immediately useful to me. However, it is not a shell.
That's why I call it "sudoscript". 8)
> Top
> shell issues would be:
>
> 1) Working directory
> 2) Globbing
> 3) I/O redirection
> 4) Others?
>
Those are the only ones I know about. To summarize, sudo can't confer
privilege on functions that are:
o Implemented by the shell before sudo is called. This
includes globbing and I/O redirection.
o Builtins to the shell, like cd.
> Perhaps there is a small shell whose source would be readily hackable?
> zsh? ash? If I understand you correctly, I've pretty much got to hack a
> SUID root file to do what I'm looking for ... namely, read the entire
> system, but not write to it. A script simply calling sudo will not do
> the trick. The little voices are telling me to write my own shell ...
> but I'll probably continue to hack on osh.
If you are really implementing a shell that can't write to a filesystem you
have
to worry not only about I/O redirection but about the facilities provided by
anything your shell would run, like dd for instance. Seems like a tall
order.
>
> Perhaps I'll lurk a bit on the developer list, too.
>
> Does PowerBroker do anything like this?
>
> Thanks,
>
> A. Daniel King, System Analyst
> Fiserv - Atlanta Center
> 1475 Peachtree Street, NE - Suite 700
> Atlanta, GA 30309
> 404-873-2851 x2034
>
>
> -----Original Message-----
> From: Howard Owen
> Sent: Thursday, May 16, 2002 5:28 PM
> To: King, Daniel; sudo-users at sudo.ws
> Subject: Re: Read all files on a given system? (sudo wrapper/sudo shell)
>
> The problem with glob expansion is it's implemented by the shell before
> sudo is even run. Sudo cannot confer privilege on a process before it
> is invoked!
>
> The same problem occurs with I/O redirection, and for the same reason,
> though there are workarounds for that involving dd and tee.
>
> I've written a system called sudoscript (http://www.egbok.com/sudoscript)
> that runs a root shell with sudo and scripts the sessionto a FIFO. A
> daemon runs to manage the probably large quantity of information produced
> by script(1).
> It's currently not a good solution for multiuser access, but I'm working
> on that.
> It also suffers from all the drawbacks of script(1), principally large
> quantities
> of garbled output.
>
> This isn't exactly what you are asking for, but it addresses the same
> problem space.
>
> --On Thursday, May 16, 2002 02:38:21 PM -0500 "King, Daniel"
> <Daniel.King at fiserv.com> wrote:
>
>> Hi, folks
>>
>> Ive been using sudo for some time with great success. However, Ive now
>> got something sudo cant do. Its even addressed in the sudo man page:
>> -----
>> To make a usage listing of the directories in the /home partition.
>> Note that this runs the commands in a sub-shell to make the cd and
>> file redirection work.
>>
>> % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
>> -----
>>
>> Ive been hacking on osh, but I was wondering if there is a way to give
>> read (but not write) access to an entire system, for a single account.
>> In the process Ive written a wrapper shell to handle the issue. What
>> are the issues that might come up with the script below? Improvements
>> (docs, yes
others, maybe)? Would it be easily done to apply this ksh
>> logic to build in an internal shell for sudo? osh looked so promising,
>> even if it wasnt up to the same standard as sudo. It would bring me
>> great satisfaction to do something like:
>> $sudo s
>> sudo>cd /etc
>> sudo>rvi shadow
>> sudo>exit
>>
>> And, if I could get tab completion, I would simply be in heaven.
>>
>> Thoughts? Should I take this to the developer list? My c-language
>> programming is really rusty.
>> A. Daniel King, System Analyst
>> Fiserv - Atlanta Center
>> 1475 Peachtree Street, NE - Suite 700
>> Atlanta, GA 30309
>> 404-873-2851 x2034
>>
>> ----- Script begins:
>>
>># !/usr/bin/ksh
>>
>># dsh by A. Daniel King; A sudo wrapper or sudo shell
>>
>> for x in HUP INT QUIT KILL TERM STOP TSTP CONT
>> do
>> trap 'echo You cannot escape.' SIG$x
>> done
>>
>> workingdir=`/usr/bin/pwd`
>>
>># Here is where the cd code is:
>> function execute {
>>
>> [ "$1" = "" ] && return
>>
>> if [ $1 = "cd" ]
>> then
>> # Add code for cd here:
>> export workingdir=`/usr/local/bin/sudo /usr/bin/sh -c "
>> cd $workingdir ; $* ; /usr/bin/pwd"` else
>> # Run actual commands here:
>> /usr/local/bin/sudo /usr/bin/sh -c "cd $workingdir ; $*"
>> fi
>>
>> }
>>
>> x=""
>> while [[ "$x" != "exit" ]]
>> do
>> printf "%s>" $workingdir
>> read x
>>
>> # Read the command into an array:
>> counter=0
>> max=0
>> for item in $x
>> do
>> array[$counter]=$item
>> (( counter = counter + 1 ))
>> max=$counter
>> done
>>
>> # Parse the output for individual commands ...
>> counter=0
>> while (( counter <= max ))
>> do
>> # If we have a full command, then run it; if not continue
>> adding to the command: if [[ ( "${array[$counter]}" = ";"
>> ) || ( $counter = $max ) ]] then
>> command=$command" "${array[$counter]}
>> array[$counter]=""
>> execute $command
>> command=""
>> else
>> command=$command" "${array[$counter]}
>> array[$counter]=""
>> fi
>> (( counter = counter + 1 ))
>> done
>>
>> done
>>
>> ____________________________________________________________
>> sudo-users mailing list <sudo-users at sudo.ws>
>> For list information, options, or to unsubscribe, visit:
>> http://www.sudo.ws/mailman/listinfo/sudo-users
>
>
>
> Howard Owen "Even if you are on the right
> EGBOK Consultants track, you'll get run over if you
> hbo at egbok.com +1-650-339-5733 just sit there." - Will Rogers
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
Howard Owen "Even if you are on the right
EGBOK Consultants track, you'll get run over if you
hbo at egbok.com +1-650-339-5733 just sit there." - Will Rogers
More information about the sudo-users
mailing list