Ideas for ssh / sudo

Marillier, Allan Allan.Marillier at dana.com
Tue Oct 10 16:01:20 EDT 2000 

Another option - but it also has potential for abuse - you could
set up a mail alias which pipes to a program/script.
e.g. add an entry to  /etc/aliases
     mailadmin: |"/usr/local/bin/mailadmin"
and run newaliases. Then you have a script named mailadmin,
which receives the output of a message, parses it, and acts on the
content of the message.

For example - a message could contain the lines
     add 9nbc at netnet.net
     rm 9nbc at netnet.com
and the script then receives the lines of input - goes into a case/esac
loop - tests for the first word - add or rm, takes the appropriate action
and adds or removes the address in the next field, and finally, the script
would need to run newaliases as well.

Of course, this script would then need to run as root to have the necessary
priveleges, and you'd need to keep it in a secure location, with the necessary
permissions to limit potential for abuse.


|--------+----------------------->
|        |          n9bc at netnet.n|
|        |          et           |
|        |                       |
|        |          10/10/00     |
|        |          03:15 PM     |
|        |                       |
|--------+----------------------->
  >-------------------------------------------------------------------------|
  |                                                                         |
  |       To:     pll at mclinux.com@Internet                                  |
  |       cc:     sudo-users at courtesan.com@Internet, (bcc: Allan            |
  |       Marillier/NCS/Dana)                                               |
  |       Subject:     Re: Ideas for ssh / sudo                             |
  >-------------------------------------------------------------------------|



Thanks for the input. I was thinking about the webpage idea. But I'd
rather not have a web server running on that machine. If you can think
of anything else let me know.

-Brent


> In a message dated: 11 Oct 2000 00:41:36 +0600
> Brent said:
>
> >I have a problem that maybe someone on the list can help me out on.
> >I need a to set up my sales guys to be able to addemail aliases on a
> >server which they don't have accounts on. I was planning on useing sudo
> >and ssh to do it. If anyone has done this or something close to it.
> >Please drop me a email with any ideas or problems that you ran into.
>
> Well, you could easily let them do something like:
>
>       sudo <some priv. account> ssh <restricted system>
>
> However, they are then logged into that system as that user and have all the
> priviledges of that users.  What I would recommend is either create them
> each accounts on that server which have the right to edit the aliases file,
> or, better yet, what I would do here, is set up a web page they must log into
> which asks them for an alias name and a list of user names/e-mail addresses
> to add to the list, then have the web server kick off the update of the
> aliases file.  Though there is a certain level of insecurity in that as well.
>
> Thinking about it, it may be better to set up something like majordomo or
> mailman and give them admin priviledges to certainn mail lists.  That way they

> can update it to their hearts content.
>
> If I come up with anything else, I'll post it here :)
> --
> Seeya,
> Paul
> ----
>          I'm in shape, my shape just happens to be pear!
>
>        If you're not having fun, you're not doing it right!
>
>

____________________________________________________________
sudo-users mailing list <sudo-users at courtesan.com>
For list information, options, or to unsubscribe, visit:
http://www.courtesan.com/mailman/listinfo/sudo-users

More information about the sudo-users mailing list