From Todd.Miller at courtesan.com Sat Apr 11 09:50:29 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 11 Apr 2009 09:50:29 -0400 Subject: [sudo-users] Sudo 1.7.1rc1 available Message-ID: <200904111350.n3BDoTj8011949@core.courtesan.com> The first release candidate of Sudo version 1.7.1 is now available. If no major problems are found, the GA of 1.7.1 will be release in about a week. Download links: http://www.sudo.ws/sudo/dist/beta/sudo-1.7.1rc1.tar.gz ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.1rc1.tar.gz What's new in Sudo 1.7.1? * A new Defaults option "pwfeedback" will cause sudo to provide visual feedback when the user is entering a password. * A new Defaults option "fast_glob" will cause sudo to use the fnmatch() function for file name globbing instead of glob(). When this option is enabled, sudo will not check the file system when expanding wildcards. This is faster but a side effect is that relative paths with wildcard will no longer work. * New BSM audit support for systems that support it such as FreeBSD and Mac OS X. * The file name specified with the #include directive may now include a %h escape which is expanded to the short form of hostname. * The -k flag may now be specified along with a command, causing the user's timestamp file to be ignored. * New support for Tivoli-based LDAP START_TLS, present in AIX. * New support for /etc/netsvc.conf on AIX. * The unused alias checks in visudo now handle the case of an alias referring to another alias. * A crash when the owner or mode of sudoers is incorrect has been fixed. From KenneyW at easternct.edu Sat Apr 18 12:13:44 2009 From: KenneyW at easternct.edu (KENNEY, William P. (Info. Tech. Services)) Date: Sat, 18 Apr 2009 12:13:44 -0400 Subject: [sudo-users] Restrict commands to a specific directory tree Message-ID: <52BF9607C0B6F349BC9921B968E6F61806DC42B1@ecsuexbe2.ec-admin.easternct.edu> Hello, I would like to give some privileges to a small group of users that will allow them to modify files and sub-directories in a specific directory tree on my server, and nowhere else. The commands are chown and chmod. After reading the documentation and searching the archives I can't seem to find what I need. TIA, Bill From russell+sudo-users at loosenut.com Sat Apr 18 14:23:14 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Sat, 18 Apr 2009 11:23:14 -0700 Subject: [sudo-users] Restrict commands to a specific directory tree In-Reply-To: <52BF9607C0B6F349BC9921B968E6F61806DC42B1@ecsuexbe2.ec-admin.easternct.edu> References: <52BF9607C0B6F349BC9921B968E6F61806DC42B1@ecsuexbe2.ec-admin.easternct.edu> Message-ID: <20090418182313.GC811@fubar.loosenut.com> You'll most-likely need to script something like that, if you really need repeated chown/chmod in a given tree... there's nothing native in sudo to restrict a user to a directory structure. If you really want to use sudo for it, chances are a simple script or two can provide the functionality you need (eg. one script that auto-fixes an entire tree, another that works under a chroot'd environment and takes arguments, etc). Note: generally you can get creative with un*x permissions (including things like stick bits) to accomplish limited shared files or similar. Most modern OSes also include things like ACLs these days, which go over and above traditional un*x permissions. On Sat, Apr 18, 2009 at 12:13:44PM -0400, KENNEY, William P. (Info. Tech. Services) wrote: > Hello, > > I would like to give some privileges to a small group of users that will > allow them to modify files and sub-directories in a specific directory > tree on my server, and nowhere else. > > The commands are chown and chmod. > > After reading the documentation and searching the archives I can't seem > to find what I need. > > TIA, > > Bill -- Russell M. Van Tassell russell at loosenut.com "When you go fishing with a driftnet, sometimes you catch a dolphin." - An RIAA spokesperson, when asked about the spectacle of file-sharing lawsuits against innocent grandparents. From spinler.patrick at mayo.edu Sat Apr 18 13:51:22 2009 From: spinler.patrick at mayo.edu (Patrick Spinler) Date: Sat, 18 Apr 2009 12:51:22 -0500 Subject: [sudo-users] Restrict commands to a specific directory tree In-Reply-To: <52BF9607C0B6F349BC9921B968E6F61806DC42B1@ecsuexbe2.ec-admin.easternct.edu> References: <52BF9607C0B6F349BC9921B968E6F61806DC42B1@ecsuexbe2.ec-admin.easternct.edu> Message-ID: <49EA131A.9020905@mayo.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That's quite tough to do securely. Think about the consequences of soft and hard links, bind mounts, and being able to chown an suid executable to a privileged user, as just a few issues. Ergo, there's no general solution for this, as far as I know. What I've done is written a set of very limited functionality wrapper programs wherein I resolve symlinks *then* check against allowed paths, only allow setting ownership to a very limited set of users, only allow setting perms when owned by one of those limited set of users, etc. Further, I'm very careful to always set the limited set of allowed directories to be rooted in it's own filesystem to avoid the hardlink issues. Even with this, I'm still pretty paranoid about it, and rarely enable these for people. I'm certain I'll still have missed some security issues. Lesson is: security is hard, and chown and chmod are two of the worst to get right. - -- Pat KENNEY, William P. (Info. Tech. Services) wrote: > Hello, > > > > I would like to give some privileges to a small group of users that will > allow them to modify files and sub-directories in a specific directory > tree on my server, and nowhere else. > > > > The commands are chown and chmod. > > > > After reading the documentation and searching the archives I can't seem > to find what I need. > > > > TIA, > > > > Bill > > > > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknqExoACgkQNObCqA8uBsyrZgCfYlc+xAsaYXBYSweoQh6dZycY l3kAoJzfE73SQurnfJQkYpmBlsGUduzD =f3a7 -----END PGP SIGNATURE----- From holt at sgi.com Sun Apr 19 06:31:11 2009 From: holt at sgi.com (Robin Holt) Date: Sun, 19 Apr 2009 05:31:11 -0500 Subject: [sudo-users] Restrict commands to a specific directory tree In-Reply-To: <20090418182313.GC811@fubar.loosenut.com> References: <52BF9607C0B6F349BC9921B968E6F61806DC42B1@ecsuexbe2.ec-admin.easternct.edu> <20090418182313.GC811@fubar.loosenut.com> Message-ID: <20090419103111.GR10768@sgi.com> On Sat, Apr 18, 2009 at 11:23:14AM -0700, Russell Van Tassell wrote: > > You'll most-likely need to script something like that, if you really > need repeated chown/chmod in a given tree... there's nothing native in > sudo to restrict a user to a directory structure. If you really want to > use sudo for it, chances are a simple script or two can provide the > functionality you need (eg. one script that auto-fixes an entire tree, > another that works under a chroot'd environment and takes arguments, > etc). > > Note: generally you can get creative with un*x permissions (including > things like stick bits) to accomplish limited shared files or similar. > Most modern OSes also include things like ACLs these days, which go over > and above traditional un*x permissions. XFS filesystem has ACLs. I use them for exactly the above. It is being included with most distros now as well and will be soon on RedHat Enterprise. Thanks, Robin From spinler.patrick at mayo.edu Sun Apr 19 09:33:07 2009 From: spinler.patrick at mayo.edu (Patrick Spinler) Date: Sun, 19 Apr 2009 08:33:07 -0500 Subject: [sudo-users] Offtopic: file permissions Re: Restrict commands to a specific directory tree In-Reply-To: <20090419103111.GR10768@sgi.com> References: <52BF9607C0B6F349BC9921B968E6F61806DC42B1@ecsuexbe2.ec-admin.easternct.edu> <20090418182313.GC811@fubar.loosenut.com> <20090419103111.GR10768@sgi.com> Message-ID: <49EB2813.1040705@mayo.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robin Holt wrote: > On Sat, Apr 18, 2009 at 11:23:14AM -0700, Russell Van Tassell wrote: >> You'll most-likely need to script something like that, if you really >> need repeated chown/chmod in a given tree... there's nothing native in >> sudo to restrict a user to a directory structure. If you really want to >> use sudo for it, chances are a simple script or two can provide the >> functionality you need (eg. one script that auto-fixes an entire tree, >> another that works under a chroot'd environment and takes arguments, >> etc). >> >> Note: generally you can get creative with un*x permissions (including >> things like stick bits) to accomplish limited shared files or similar. >> Most modern OSes also include things like ACLs these days, which go over >> and above traditional un*x permissions. > > XFS filesystem has ACLs. I use them for exactly the above. It is being > included with most distros now as well and will be soon on RedHat > Enterprise. > Thankfully many modern linux filesystems nicely support ACL's now, with the right mount options used: http://linuxmafia.com/faq/VALinux-kb/acls.html Just be aware that many standard backup utilities are ACL unaware. Test your own backup solution, and make sure you have something in place for this. We're investigating using cfengine rulesets as both our master ACL repository, and since the rulesets are just plain text files, it would give us backups for free. See this for details: http://www.cfengine.org/docs/cfengine-Reference.html#acl - -- Pat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknrKBMACgkQNObCqA8uBsyqKQCfTVklHlwpyQlKYM+zPn8mQ4Ff zh8An3srmivney14oePxenVWQeWseb1U =Yvob -----END PGP SIGNATURE----- From lists at fipscode.ch Tue Apr 21 15:30:55 2009 From: lists at fipscode.ch (Fabiano Sidler) Date: Tue, 21 Apr 2009 21:30:55 +0200 Subject: [sudo-users] sudo -i: "cannot execute binary file" or password prompt Message-ID: <20090421193055.GA7526@true> Hi folks! In my sudoers, I have the following (as the last) line: foo ALL=(ALL) NOPASSWD: /usr/local/bin/bash /usr/local/bin/bar While this works well, when /usr/local/bin/bar is a shell script foo$ sudo -i /usr/local/bin/bar I'd also like it to work with any executable. So far, when I try it with a binary, sudo says /usr/local/bin/bar: usr/local/bin/bar: cannot execute binary file Appending '-- -c' to 'sudo -i', or omit "/usr/local/bin/bash" in sudoers, it prompts for password, which I don't want. How can i run 'sudo -i /foo/bar' as if /foo/bar were a shell script? And yes, bash is the login shell of user foo and I definitely need login environment for the user when running the command. Thanks in advance for replies! Greetings, Fabiano From Todd.Miller at courtesan.com Tue Apr 21 16:48:31 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 21 Apr 2009 16:48:31 -0400 Subject: [sudo-users] sudo -i: "cannot execute binary file" or password prompt In-Reply-To: Your message of "Tue, 21 Apr 2009 21:30:55 +0200." <20090421193055.GA7526@true> References: <20090421193055.GA7526@true> Message-ID: <200904212048.n3LKmVOP005612@core.courtesan.com> In sudo 1.7.0 and higher you would do it like this: foo ALL=(ALL) NOPASSWD: /usr/local/bin/bash -c /usr/local/bin/bar and sudo will notice that you passed an argument to the -i flag and add the -c itself. There's no good way to do this for versions prior to 1.7.0. - todd From alex_chen at filemaker.com Tue Apr 21 17:28:29 2009 From: alex_chen at filemaker.com (Alex Chen) Date: Tue, 21 Apr 2009 14:28:29 -0700 Subject: [sudo-users] Passing password to sudo Message-ID: <49EE3A7D.7020702@filemaker.com> Is there a way to invoke sudo so that the password can be passed as a command line parameter instead of manually typing in? We want to use 'sudo' to execute scripts under certain user's name programmatically, e.g. launch sudo via 'exec', and pass the user's password directly to sudo non-interactively. We looked at the sudo man page but could not find anything that allows us to do so. Any help will be greatly appreciated. Alex From lists at fipscode.ch Tue Apr 21 17:47:20 2009 From: lists at fipscode.ch (Fabiano Sidler) Date: Tue, 21 Apr 2009 23:47:20 +0200 Subject: [sudo-users] Passing password to sudo In-Reply-To: <49EE3A7D.7020702@filemaker.com> References: <49EE3A7D.7020702@filemaker.com> Message-ID: <20090421214720.GA7959@true> On Tue, Apr 21, 2009 at 02:28:29PM -0700, Alex Chen wrote: > Is there a way to invoke sudo so that the password can be passed as a > command line parameter instead of manually typing in? No. And probably won't be ever, because so, the password could be retrieved by other users via 'ps' and such tools. > We want to use 'sudo' to execute scripts under certain user's name > programmatically, e.g. launch sudo via 'exec', and pass the user's password > directly to sudo non-interactively. Use the sudoers NOPASSWD feature, if you really need to. SUID bit don't work for scripts, actually. > We looked at the sudo man page but could not find anything that allows > us to do so. Because of security reasons, see above. Greetings, Fabiano From lists at fipscode.ch Tue Apr 21 17:51:49 2009 From: lists at fipscode.ch (Fabiano Sidler) Date: Tue, 21 Apr 2009 23:51:49 +0200 Subject: [sudo-users] sudo -i: "cannot execute binary file" or password prompt In-Reply-To: <200904212048.n3LKmVOP005612@core.courtesan.com> References: <20090421193055.GA7526@true> <200904212048.n3LKmVOP005612@core.courtesan.com> Message-ID: <20090421215149.GB7959@true> On Tue, Apr 21, 2009 at 04:48:31PM -0400, Todd C. Miller wrote: > In sudo 1.7.0 and higher you would do it like this: > > foo ALL=(ALL) NOPASSWD: /usr/local/bin/bash -c /usr/local/bin/bar Works perfectly, thanks! > There's no good way to do this for versions prior to 1.7.0. I see...even such an old tool like sudo still make some advance! :) Greetings, Fabiano From robert.weeden.jr at ge.com Tue Apr 21 09:42:45 2009 From: robert.weeden.jr at ge.com (Weeden Jr, Robert(GE Infra, Aviation, US)) Date: Tue, 21 Apr 2009 09:42:45 -0400 Subject: [sudo-users] Sudoers Message-ID: <69ABDB41F438EF499C150818A55F635B050FE54D@CINMLVEM26.e2k.ad.ge.com> Hi and to whom it may concern. I'm trying to do the following; 1. Runas_Alias DB = oracle 2 someusername ALL= (DB) NOPASSWD:ALL However, I'm receiving " >>> sudoers file: syntax error, line X <<<" Any help would be appreciated. Thanks Robert Weeden Jr GE Aviation Systems SR. IT Professional (UNIX & Linux) T +1 616 241 8548 F +1 616 2417326 robert.weeden.jr at ge.com 3290 Patterson Avenue, SE Grand Rapids, MI 49512-1991, USA GE Aviation Systems LLC GE imagination at work From russell+sudo-users at loosenut.com Wed Apr 22 12:06:19 2009 From: russell+sudo-users at loosenut.com (Russell Van Tassell) Date: Wed, 22 Apr 2009 09:06:19 -0700 Subject: [sudo-users] Sudoers In-Reply-To: <69ABDB41F438EF499C150818A55F635B050FE54D@CINMLVEM26.e2k.ad.ge.com> References: <69ABDB41F438EF499C150818A55F635B050FE54D@CINMLVEM26.e2k.ad.ge.com> Message-ID: <20090422160619.GY811@fubar.loosenut.com> On Tue, Apr 21, 2009 at 09:42:45AM -0400, Weeden Jr, Robert(GE Infra, Aviation, US) wrote: > However, I'm receiving " >>> sudoers file: syntax error, line X <<<" Can you include your sudoers file or, at least, the lines around where the error is being reported? -- Russell M. Van Tassell russell at loosenut.com It is easier to change the specification to fit the program than vice versa. From robert.schuster at novartis.com Wed Apr 22 12:12:51 2009 From: robert.schuster at novartis.com (robert.schuster at novartis.com) Date: Wed, 22 Apr 2009 18:12:51 +0200 Subject: [sudo-users] Robert Schuster/PH/Novartis is in a training Message-ID: I will be out of the office starting 22.04.2009 and will not return until 24.04.2009. I'm on a training and have only very limited access to my mails. In urgent cases please contact the local help desk: nuernberg.hotline at novartis.com or call phone 0911 / 273 12 820. From jayen at science.unsw.edu.au Wed Apr 22 20:47:33 2009 From: jayen at science.unsw.edu.au (Jayen Ashar) Date: Thu, 23 Apr 2009 10:47:33 +1000 Subject: [sudo-users] console users only Message-ID: <49EFBAA5.8070502@science.unsw.edu.au> Is it possible to make a sudoers to allow only console users to execute commands, like X? --Jayen -- Jayen Ashar Technical Officer Computing Center School of Mathematics and Statistics M029, Red Center The University of New South Wales SYDNEY NSW 2052 Ph: + 61 (2) 93857016 Fax: + 61 (2) 93857192 CRICOS provider code: 00098G From robert.weeden.jr at ge.com Wed Apr 22 09:34:52 2009 From: robert.weeden.jr at ge.com (Weeden Jr, Robert(GE Infra, Aviation, US)) Date: Wed, 22 Apr 2009 09:34:52 -0400 Subject: [sudo-users] Sudoers In-Reply-To: <49EF1C81.1010704@stanford.edu> References: <69ABDB41F438EF499C150818A55F635B050FE54D@CINMLVEM26.e2k.ad.ge.com> <49EF1C81.1010704@stanford.edu> Message-ID: <69ABDB41F438EF499C150818A55F635B05132B18@CINMLVEM26.e2k.ad.ge.com> Thanks for the response however, I got it. User_Alias DBA=riederg,erzenrd,subrahg,hartmanr,vishwajk Cmnd_Alias SUO=/usr/bin/su - oracle,!/usr/bin/su *root* DBA ALL=SUO -----Original Message----- From: John Shott [mailto:shott at stanford.edu] Sent: Wednesday, April 22, 2009 9:33 AM To: Weeden Jr, Robert(GE Infra, Aviation, US) Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] Sudoers Robert: Although I can't find an authoritative source of information to quote, I believe that you need to add a space following 'NOPASSWD:' to sudo to be happy with your syntax. Good luck, John From shott at stanford.edu Wed Apr 22 09:32:49 2009 From: shott at stanford.edu (John Shott) Date: Wed, 22 Apr 2009 06:32:49 -0700 Subject: [sudo-users] Sudoers In-Reply-To: <69ABDB41F438EF499C150818A55F635B050FE54D@CINMLVEM26.e2k.ad.ge.com> References: <69ABDB41F438EF499C150818A55F635B050FE54D@CINMLVEM26.e2k.ad.ge.com> Message-ID: <49EF1C81.1010704@stanford.edu> Robert: Although I can't find an authoritative source of information to quote, I believe that you need to add a space following 'NOPASSWD:' to sudo to be happy with your syntax. Good luck, John From robert.weeden.jr at ge.com Wed Apr 22 12:20:33 2009 From: robert.weeden.jr at ge.com (Weeden Jr, Robert(GE Infra, Aviation, US)) Date: Wed, 22 Apr 2009 12:20:33 -0400 Subject: [sudo-users] Sudoers In-Reply-To: <20090422160619.GY811@fubar.loosenut.com> References: <69ABDB41F438EF499C150818A55F635B050FE54D@CINMLVEM26.e2k.ad.ge.com> <20090422160619.GY811@fubar.loosenut.com> Message-ID: <69ABDB41F438EF499C150818A55F635B05132EF8@CINMLVEM26.e2k.ad.ge.com> Actually, I got it. User_Alias DBA=riederg,erzenrd,subrahg,hartmanr,vishwajk Cmnd_Alias SUO=/usr/bin/su - oracle,!/usr/bin/su *root* DBA ALL=SUO Thanks -----Original Message----- From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] Sent: Wednesday, April 22, 2009 12:06 PM To: Weeden Jr, Robert(GE Infra, Aviation, US) Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] Sudoers On Tue, Apr 21, 2009 at 09:42:45AM -0400, Weeden Jr, Robert(GE Infra, Aviation, US) wrote: > However, I'm receiving " >>> sudoers file: syntax error, line X <<<" Can you include your sudoers file or, at least, the lines around where the error is being reported? -- Russell M. Van Tassell russell at loosenut.com It is easier to change the specification to fit the program than vice versa. From Todd.Miller at courtesan.com Thu Apr 23 09:41:49 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 23 Apr 2009 09:41:49 -0400 Subject: [sudo-users] Sudoers In-Reply-To: Your message of "Wed, 22 Apr 2009 06:32:49 PDT." <49EF1C81.1010704@stanford.edu> References: <69ABDB41F438EF499C150818A55F635B050FE54D@CINMLVEM26.e2k.ad.ge.com> <49EF1C81.1010704@stanford.edu> Message-ID: <200904231341.n3NDfnbi010768@core.courtesan.com> In message <49EF1C81.1010704 at stanford.edu> so spake John Shott (shott): > Although I can't find an authoritative source of information to quote, I > believe that you need to add a space following 'NOPASSWD:' to sudo to be > happy with your syntax. No, the whitespace is optional. - todd From Todd.Miller at courtesan.com Thu Apr 23 09:46:38 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 23 Apr 2009 09:46:38 -0400 Subject: [sudo-users] Passing password to sudo In-Reply-To: Your message of "Tue, 21 Apr 2009 14:28:29 PDT." <49EE3A7D.7020702@filemaker.com> References: <49EE3A7D.7020702@filemaker.com> Message-ID: <200904231346.n3NDkcMH022957@core.courtesan.com> In message <49EE3A7D.7020702 at filemaker.com> so spake Alex Chen (alex_chen): > Is there a way to invoke sudo so that the password can be passed as a > command line parameter instead of manually typing in? > We want to use 'sudo' to execute scripts under certain user's name > programmatically, e.g. launch sudo via 'exec', and pass the user's password > directly to sudo non-interactively. > > We looked at the sudo man page but could not find anything that allows > us to do so. No, because the password would be visible to anyone in a ps listing. However, you can send the password to sudo's standard input with the -S flag. Note that since you won't know whether sudo needs a password or not you probably need to use the -k flag first to clear any existing timestamp. You might be better off just allowing the user in question to run those scripts without a password using the NOPASSWD tag. - todd From Todd.Miller at courtesan.com Thu Apr 23 09:53:45 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 23 Apr 2009 09:53:45 -0400 Subject: [sudo-users] console users only In-Reply-To: Your message of "Thu, 23 Apr 2009 10:47:33 +1000." <49EFBAA5.8070502@science.unsw.edu.au> References: <49EFBAA5.8070502@science.unsw.edu.au> Message-ID: <200904231353.n3NDrj14010781@core.courtesan.com> In message <49EFBAA5.8070502 at science.unsw.edu.au> so spake Jayen Ashar (jayen): > Is it possible to make a sudoers to allow only console users to execute > commands, like X? No, sudo doesn't support restricting commands based on the tty the user is logged in to. On Linux, you may wish to look into configuring pam_console.so via /etc/security/console.perms and /etc/security/console.apps/ to see if that will meet your needs. - toid From jayen at science.unsw.edu.au Thu Apr 23 18:16:52 2009 From: jayen at science.unsw.edu.au (Jayen Ashar) Date: Fri, 24 Apr 2009 08:16:52 +1000 Subject: [sudo-users] console users only In-Reply-To: <200904231353.n3NDrj14010781@core.courtesan.com> References: <49EFBAA5.8070502@science.unsw.edu.au> <200904231353.n3NDrj14010781@core.courtesan.com> Message-ID: <49F0E8D4.8010209@science.unsw.edu.au> pam_console.so appears to be a fedora thing, and looks like it's been removed, too. (http://fedoraproject.org/wiki/Releases/FeatureRemovePAMConsole) What I'm trying to do is deploy a series of Ubuntu desktops, and give each user control of their own desktop, by way of tying sudoers with the console user. Other than pam_console, or a pam module that alters sudoers, is there another way to do this? Is there a proper way to do this? Thanks, Jayen Todd C. Miller wrote: > In message <49EFBAA5.8070502 at science.unsw.edu.au> > so spake Jayen Ashar (jayen): > >> Is it possible to make a sudoers to allow only console users to execute >> commands, like X? > > No, sudo doesn't support restricting commands based on the tty the > user is logged in to. > > On Linux, you may wish to look into configuring pam_console.so > via /etc/security/console.perms and /etc/security/console.apps/ > to see if that will meet your needs. > > - toid From erwin_hom at filemaker.com Mon Apr 27 21:18:36 2009 From: erwin_hom at filemaker.com (Erwin Hom) Date: Mon, 27 Apr 2009 18:18:36 -0700 Subject: [sudo-users] How userA can run userB's script Message-ID: <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com> Greetings, I have userA and userB on the system. There is a process running with userA's ID and I would like the process to run a script owned by userB with userB's password. What do I need to add to /etc/sudoers to do this? There is a setting in sudoers which lets you use the target user's password, i.e. Defaults targetpw But it seems to be a default behavioral change of 'sudo' that affects every users, not just userA, right? Thanks in advance, - E r w i n From christian.peper at kpn.com Tue Apr 28 02:41:44 2009 From: christian.peper at kpn.com (christian.peper at kpn.com) Date: Tue, 28 Apr 2009 08:41:44 +0200 Subject: [sudo-users] How userA can run userB's script In-Reply-To: <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com> References: <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com> Message-ID: > -----Original Message----- > I have userA and userB on the system. There is a process > running with userA's ID and I would like the process to run a > script owned by userB with userB's password. > What do I need to add to /etc/sudoers to do this? > > There is a setting in sudoers which lets you use the target > user's password, i.e. > > Defaults targetpw > > But it seems to be a default behavioral change of 'sudo' that > affects every users, not just userA, right? Why does userA need to run the script with userB's passwd? Sudo will let userA run the script owned by userB on machine B without the need for a passwd. Isn't that enough? userA ALL=(userB) NOPASSWD: /home/userB/scripts/runthis.sh Please note that allowing someone to run scripts this way without a passwd opens op security holes, since scripts could be edited, symbolically linked to, copied, etc. You could also use xattrib to set more detailed file permissions than the common u,g,o+rx. Chris. From Hullen at t-online.de Tue Apr 28 03:02:00 2009 From: Hullen at t-online.de (Helmut Hullen) Date: 28 Apr 2009 09:02:00 +0200 Subject: [sudo-users] How userA can run userB's script In-Reply-To: Message-ID: Hallo, christian.peper, Du meintest am 28.04.09: >> -----Original Message----- >> I have userA and userB on the system. There is a process >> running with userA's ID and I would like the process to run a >> script owned by userB with userB's password. [...] > Why does userA need to run the script with userB's passwd? > Sudo will let userA run the script owned by userB on machine B > without the need for a passwd. Isn't that enough? I have this problem around PHP scripts. They are run from the webserver (most times apache), but if I want (p.e.) to change a user's password then it's a good idea to run this special script with the user's ID and password. I'm looking for a solution too ... Viele Gruesse! Helmut From Todd.Miller at courtesan.com Tue Apr 28 10:14:07 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 28 Apr 2009 10:14:07 -0400 Subject: [sudo-users] How userA can run userB's script In-Reply-To: Your message of "Mon, 27 Apr 2009 18:18:36 PDT." <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com> References: <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com> Message-ID: <200904281414.n3SEE7W2030041@core.courtesan.com> In message <20FCEE8F-485C-4227-B823-F823BBE55827 at filemaker.com> so spake (erwin_hom): > There is a setting in sudoers which lets you use the target user's > password, i.e. > > Defaults targetpw > > But it seems to be a default behavioral change of 'sudo' that affects > every users, not just userA, right? Correct. However, you can bind that option specifically to userA. E.g. Defaults:userA targetpw and then whenever userA runs sudo he/she will need to use the password of the user the command is being run as. - todd From Matthew.Stier at us.fujitsu.com Tue Apr 28 10:41:43 2009 From: Matthew.Stier at us.fujitsu.com (Matthew Stier) Date: Tue, 28 Apr 2009 10:41:43 -0400 Subject: [sudo-users] How userA can run userB's script In-Reply-To: <200904281414.n3SEE7W2030041@core.courtesan.com> References: <20FCEE8F-485C-4227-B823-F823BBE55827@filemaker.com> <200904281414.n3SEE7W2030041@core.courtesan.com> Message-ID: <49F715A7.2020506@us.fujitsu.com> Todd C. Miller wrote: > In message <20FCEE8F-485C-4227-B823-F823BBE55827 at filemaker.com> > so spake (erwin_hom): > > >> There is a setting in sudoers which lets you use the target user's >> password, i.e. >> >> Defaults targetpw >> >> But it seems to be a default behavioral change of 'sudo' that affects >> every users, not just userA, right? >> > > Correct. However, you can bind that option specifically to userA. > E.g. > > Defaults:userA targetpw > > and then whenever userA runs sudo he/she will need to use the > password of the user the command is being run as. > > - todd But that's the problem with changing this default. It applies to all commands that userA runs. UserA will need to know the password of every account (s)he will running a command as. Running a command as userB will require userB's password. Running a command as userC, will require userC's password. Running a command as root will require root's password. As long as this is not an issue .... From barcaroller at sympatico.ca Thu Apr 30 18:27:03 2009 From: barcaroller at sympatico.ca (barcaroller) Date: Thu, 30 Apr 2009 18:27:03 -0400 Subject: [sudo-users] sudo access question... Message-ID: How can I check if a certain user has sudo access, without having sudo access myself. The reason I ask is that I'm writing a bash script which will behave differently if the user running it has sudo access.