Using sudo in scripts
Matthew Hannigan
mlh at zip.com.au
Wed Aug 7 19:51:06 EDT 2002
Allow me the indulgence of pointing out
yet again the common misapprehension of sudo
that it somehow limits a user. It does not; it
can ONLY enhance one's privileges ...
Todd, I tihnk this point needs to be hammered
home in the FAQ and README
[ .. ]
> > gcall ALL=/home/gcall/test.mnu,/bin/mount
> >
> > I execute sudo /home/gcall/test.mnu as user "gcall". Once in this menu,
> > all 3 commands will run without going through sudo.
i.e. you are permitted to run them becasue you already have been "sudo'd"
I *thought* that I
> > would be denied ls and ps, but permitted to run mount.
> >
> > If I prefix all of the commands with sudo in the script, it then works.
By "works" you mean that you are NOT permitted to run ls.
BTW, I think this is a very unsafe way to run sudo;
you really should put every individual command within sudo,
not just your menu. Almost any bug in your menu becomes
a security hole.
You also lose the ability to track what people do exactly:
Does that entry in the sudo log mean they reset a printer
or unmounted a filesystem? .... or worse?!?
Matt
More information about the sudo-users
mailing list