[sudo-users] [sudo-workers] Installing Application without fullsudo privilege

Asif Iqbal vadud3 at gmail.com
Fri Feb 13 14:50:41 EST 2009 

On Fri, Feb 13, 2009 at 2:44 PM, Russell Van Tassell
<russell+sudo-users at loosenut.com> wrote:
> Well, the more specific (deeper in the tree) you can specify, the
> better.  Myself, I have more of a tendancy to just use aliases and then
> use a list of absolute paths where users don't have write access.

I like that alias tip a lot. so /usr/root.sh -> /path/to/some/root.sh
and no user has write
access to /usr I should be good unless I am overlooking some other security risk
there

>
> In your first example, of course, /tmp/root.sh would also work (which I
> think you realized "right after you hit send").
>
> As someone else said, as far as I know, there's pretty much NO reason to
> give Oracle users "root" once you do the install for them.  Chances are
> you can just give them "oracle" and you're set (think that's what I've
> always done in the past, anyway, and it's worked fine).
>
> For those few incidents if/when they think they need root (don't think
> they do), they could come to me (or the admin team) and we could "fix
> it" for them...  or add another very-specific-condition where they get
> root.
>
> Hope that helps...
> Russell
>
> On Fri, Feb 13, 2009 at 02:03:39PM -0500, Asif Iqbal wrote:
>> On Fri, Feb 13, 2009 at 1:24 PM, Olvera Peralta Edgar Alfredo
>> <edgar.olvera at bbva.bancomer.com> wrote:
>> > >From a security point of view that's not recommended. Someone could
>> > create a malicious script called "root.sh" in any directory and you'd be
>> > allowing to run it as root. That is a serious risk.
>>
>> I realized that right after I hit the sent button. So basically even
>> full path won't help if the user have write access to any
>> of the parent dir.
>>
>> So /this/is/the/path/to/the/script.sh can be manipulated if the user
>> have access to say /this/is/the.
>>
>> Is there a better way to give sudo priv to a script short of the whole
>> path and hoping user can't or won't
>> play with the path?
>>
>> > -----Mensaje original-----
>> >
>> > What if the path name is differnet for different env? Can I do it like
>> > this /*/root.sh for path?
>
> --
> Russell M. Van Tassell
> russell at loosenut.com
>
> "No one is useless in this world who lightens the burdens of another."
>                                                       - Charles Dickens
>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

More information about the sudo-users mailing list