Using sudo in scripts

Matthew Hannigan mlh at
Wed Aug 7 19:51:06 EDT 2002

Allow me the indulgence of pointing out
yet again the common misapprehension of sudo
that it somehow limits a user.  It does not; it
can ONLY enhance one's privileges ...

Todd,  I tihnk this point needs to be hammered 
home in the FAQ and README

[ .. ]
> > gcall   ALL=/home/gcall/test.mnu,/bin/mount
> > 
> > I execute sudo /home/gcall/test.mnu as user "gcall".  Once in this menu,
> > all 3 commands will run without going through sudo.

i.e. you are permitted to run them becasue you already have been "sudo'd"

I *thought* that I
> > would be denied ls and ps, but permitted to run mount.
> > 
> > If I prefix all of the commands with sudo in the script, it then works. 

By "works" you mean that you are NOT permitted to run ls.

BTW, I think this is a very unsafe way to run sudo;
you really should put every individual command within sudo,
not just your menu.  Almost any bug in your menu becomes 
a security hole.

You also lose the ability to track what people do exactly:
Does that entry in the sudo log mean they reset a printer
or unmounted a filesystem? .... or worse?!?


More information about the sudo-users mailing list