Read all files on a given system? (sudo wrapper/sudo shell)
Howard Owen
hbo at egbok.com
Thu May 16 17:22:38 EDT 2002
The problem with glob expansion is it's implemented by the shell before
sudo is even run. Sudo cannot confer privilege on a process before it
is invoked!
The same problem occurs with I/O redirection, and for the same reason,
though there are workarounds for that involving dd and tee.
I've written a system called sudoscript (http://www.egbok.com/sudoscript)
that runs a root shell with sudo and scripts the sessionto a FIFO. A daemon
runs to manage the probably large quantity of information produced by
script(1).
It's currently not a good solution for multiuser access, but I'm working on
that.
It also suffers from all the drawbacks of script(1), principally large
quantities
of garbled output.
This isn't exactly what you are asking for, but it addresses the same
problem space.
--On Thursday, May 16, 2002 02:38:21 PM -0500 "King, Daniel"
<Daniel.King at fiserv.com> wrote:
> Hi, folks –
>
> I’ve been using sudo for some time with great success. However, I’ve now
> got something sudo can’t do. It’s even addressed in the sudo man page:
> -----
> To make a usage listing of the directories in the /home partition.
> Note that this runs the commands in a sub-shell to make the cd and
> file redirection work.
>
> % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
> -----
>
> I’ve been hacking on osh, but I was wondering if there is a way to give
> read (but not write) access to an entire system, for a single account.
> In the process I’ve written a wrapper shell to handle the issue. What
> are the issues that might come up with the script below? Improvements
> (docs, yes
others, maybe)? Would it be easily done to apply this ksh
> logic to build in an internal ‘shell’ for sudo? osh looked so promising,
> even if it wasn’t up to the same standard as sudo. It would bring me
> great satisfaction to do something like:
> $sudo –s
> sudo>cd /etc
> sudo>rvi shadow
> sudo>exit
>
> And, if I could get tab completion, I would simply be in heaven.
>
> Thoughts? Should I take this to the developer list? My c-language
> programming is really rusty.
> A. Daniel King, System Analyst
> Fiserv - Atlanta Center
> 1475 Peachtree Street, NE - Suite 700
> Atlanta, GA 30309
> 404-873-2851 x2034
>
> ----- Script begins:
>
># !/usr/bin/ksh
>
># dsh by A. Daniel King; A sudo wrapper or sudo shell
>
> for x in HUP INT QUIT KILL TERM STOP TSTP CONT
> do
> trap 'echo You cannot escape.' SIG$x
> done
>
> workingdir=`/usr/bin/pwd`
>
># Here is where the cd code is:
> function execute {
>
> [ "$1" = "" ] && return
>
> if [ $1 = "cd" ]
> then
> # Add code for cd here:
> export workingdir=`/usr/local/bin/sudo /usr/bin/sh -c "
> cd $workingdir ; $* ; /usr/bin/pwd"` else
> # Run actual commands here:
> /usr/local/bin/sudo /usr/bin/sh -c "cd $workingdir ; $*"
> fi
>
> }
>
> x=""
> while [[ "$x" != "exit" ]]
> do
> printf "%s>" $workingdir
> read x
>
> # Read the command into an array:
> counter=0
> max=0
> for item in $x
> do
> array[$counter]=$item
> (( counter = counter + 1 ))
> max=$counter
> done
>
> # Parse the output for individual commands ...
> counter=0
> while (( counter <= max ))
> do
> # If we have a full command, then run it; if not continue
> adding to the command: if [[ ( "${array[$counter]}" = ";"
> ) || ( $counter = $max ) ]] then
> command=$command" "${array[$counter]}
> array[$counter]=""
> execute $command
> command=""
> else
> command=$command" "${array[$counter]}
> array[$counter]=""
> fi
> (( counter = counter + 1 ))
> done
>
> done
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
Howard Owen "Even if you are on the right
EGBOK Consultants track, you'll get run over if you
hbo at egbok.com +1-650-339-5733 just sit there." - Will Rogers
More information about the sudo-users
mailing list