sudo and links
Todd C. Miller
Todd.Miller at courtesan.com
Tue Sep 19 23:46:38 EDT 2000
In message <Pine.SGI.4.21.0009191753230.35367-100000 at frodo.lucasdigital.com>
so spake Steve Freed (sfreed):
>
> I'm trying to figure out how sudo handles links.
>
> Example:
>
> % ls -log /usr/bin/chown
> lrwxr-xr-x 1 16 Dec 23 1999 /usr/bin/chown -> /sbin/chown
>
> % ls -log /sbin/chown
> -rwxr-xr-x 1 14104 Oct 1 1999 /sbin/chown*
>
>
> If a user has permission to execute /usr/bin/chown as root in sudo, will
> it work? Even if they don't have permission for /sbin/chown?
>
> If they have permission for /sbin/chown but not /usr/bin/chown what
> then? Does it follow the link and let them?
>
> I can see arguements for having it both ways. Which way does it really
> work?
It follows the link. Sudo stats the file in question and compares
it to commands listed in sudoers with the same basename. To see
if the files are the same it stats the two files and compares the
device and inode numbers.
- todd
More information about the sudo-users
mailing list