Hiding sudo from sudo users
Emil Isberg
emil.isberg at mds.mdh.se
Tue Jun 13 16:59:45 EDT 2000
On Tue, 13 Jun 2000 zahst at act.org wrote:
> I was wondering if there was a way to allow users to run sudo commands
> without typing sudo <command> and just type the command instead. I
> know it sounds crazy, but here's why.
Simply put: No.
But there are ways to solve the issue:
* Build a patched shell that runs "sudo command args" if command is in the
/usr/etc directory and give that shell the the user.
* Make aliases or functions that simply does "sudo command args":
(cd /usr/etc;for i in *
do echo "$i" '() { sudo /usr/etc/"$i" "$@"; }';done)
* Make one shellscript (or binary program) that calls sudo with it's
_name_ (argv[0]) with /usr/etc prepended and the rest of the args
untouched. And make a link for each of the programs in /usr/etc to
this program.
(cd /usr/etc;for i in *
do (cd /home/of/user/bin;ln myprog "$i";);done)
> I need to allow anyone logged in as user techsupp to be able to run
> commands in the /usr/etc directory. Currently they are allowed to run
> a restart command on another machine, but they don't type sudo
> restart. A script was setup that when they type restart, it calls the
> /usr/local/bin/sudo then the path to the restart command. The reason
> for this is security, we don't want them knowing they are accessing
> things any differently than normal.
I would recommend that you inform your users that they do run sudo...
There is no security issues in withholding information.
(The informations will get out in one way or another: what if the user
runs ps as they run the program??)
I would simply say that those cryptoprotocol that are published are more
secure (by fact) than those nonpublished.
--
Hell hath no fury like a bureaucrat scorned.
-- Milton Friedman
More information about the sudo-users
mailing list