Do I understand sudo correctly?

Matthew Hannigan Matthew.Hannigan at nl.abnamro.com
Thu Feb 24 08:58:37 EST 2000 

> My problem is that there are several tasks that must be done for a ne

That needn't be a problem.  You were originally proposing to write 
"bigadminscript.pl"
and allowing users to run that with sudo.  I am proposing that you still 
write "bigadminscript.pl"
but within it, instead of having exec("passwd $user"), you have 
exec("sudo passwd-wrapper $user").

This makes it no harder for the user, who still (thanks to the timeout 
feature of sudo) does not
have to type in their password every single time.    In fact this is a 
nice feature, because typically
users will leave themselves in the program, particularly if it is menu 
driven; which can leave them-
selves open to somebody using their machine while they're at the coffee 
machine.

For useability, you might want to prime the timer with a harmless "sudo 
-l > /dev/null" early
in the program.

> [security] seems this doesn't _have_ to be an issue with a well thought 
out script

No. It doesn't.  But it always is.  It is human nature and the nature of 
programming.
Bigger programs have bigger bugs.  Minimise your risks.

As for logging, I was only referring to the logging that sudo does; logs 
saying that
"sudo bigadminscript" ran is not interesting.  Logs saying that user blah 
had their
password changed or that printer sanfrancisco-laser-postscript-44 was 
reset is
more interesting.

Regards,
	-Matt






chobbs at silvervalley.k12.ca.us on 23/02/2000 15:56:00
To:	sudo-users at courtesan.com
cc:	 (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
Subject:	Re: Do I understand sudo correctly?

Eric's solution was certainly clever - I didn't realize that you could be
that finegrained with the aliasing. As my student ID's all start with the
same three digit block, this could actually work for us. 

My problem is that there are several tasks that must be done for a new
student, and three for just changing a password (passwd, smbpasswd, remake
the NIS maps). My concern is that if I don't make it relatively easy for
the teachers to do this, they'll screw it up :-)

I guess my question is, on what basis do people feel that scripts are
inherently more dangerous than other programs? Is it because they're
usually just quick hacks where security is an afterthought at best? It
seems this doesn't _have_ to be an issue with a well thought out script.
Logging can be done from within the script as well - Matthew had a good
point there.

I certainly don't mean to call out Eric, who brought up this issue. I had 
a
long discussion on IRC the other night about this as well, and I'm afraid 
I
just don't understand the fear. 

Chris

Matthew Hannigan wrote:
> 
> Chris,
> 
> I agree with Eric.   Not only is easier to secure, the logs
> are more precise.
> 
> If you can't use the patterns as Eric suggested, then write
> a minimal wrapper that just makes sure that the uid is not
> root or bin say, or that the UID is in a particular range.
> (e.g. greater than 100).  These wrappers should have a
> 1-1 correspondence to the real programs.
> 
> Regards,
>         -Matt
> 
> eric_forgette at vapower.com on 22/02/2000 21:27:00
> To:     Chris_Hobbs%chobbs%silvervalley.k12.ca.us%SMTP at vapower.com
> cc:     sudo-users at courtesan.com (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
> Subject:        Re: Do I understand sudo correctly?
> 
> Hey Chris.
>      I don't suggest ever giving someone super user access to run a
> script, too
> big of a security hole.
> If you get creative with the students' user names, you wont need a a
> script.  If
> you start your student's user names with stud, you could allow your
> teachers to
> use the following alias:
> 
> Cmnd_Alias      UNIXPASS=/usr/bin/passwd stud????
> Cmnd_Alias      SAMBAPASS=/usr/bin/smbpasswd stud????
> 
> They could then do...
> 
> sudo passwd studmary
 
--
Chris Hobbs       Silver Valley Unified School District
Head geek:              Technology Services Coordinator
webmaster:    http://www.silvervalley.k12.ca.us/chobbs/
postmaster:               chobbs at silvervalley.k12.ca.us
-------------------------------------------------------
PGP Key is available:
    http://www.silvervalley.k12.ca.us/chobbs/pubkey.txt

More information about the sudo-users mailing list