FW: Read all files on a given system? (sudo wrapper/sudo shell)

King, Daniel Daniel.King at fiserv.com
Fri May 17 10:59:03 EDT 2002 

Drat, drat, drat.  Sudoscript looks good - for what it does.  The tidy script is immediately useful to me.  However, it is not a shell.  Top shell issues would be:

1) Working directory
2) Globbing
3) I/O redirection
4) Others?

Perhaps there is a small shell whose source would be readily hackable?  zsh?  ash?  If I understand you correctly, I've pretty much got to hack a SUID root file to do what I'm looking for ... namely, read the entire system, but not write to it.  A script simply calling sudo will not do the trick.  The little voices are telling me to write my own shell ... but I'll probably continue to hack on osh.

Perhaps I'll lurk a bit on the developer list, too.

Does PowerBroker do anything like this?

Thanks,

A. Daniel King, System Analyst
Fiserv - Atlanta Center
1475 Peachtree Street, NE - Suite 700
Atlanta, GA 30309
404-873-2851 x2034


-----Original Message-----
From: Howard Owen 
Sent: Thursday, May 16, 2002 5:28 PM
To: King, Daniel; sudo-users at sudo.ws
Subject: Re: Read all files on a given system? (sudo wrapper/sudo shell)

The problem with glob expansion is it's implemented by the shell before
sudo is even run.  Sudo cannot confer privilege on a process before it
is invoked!

The same problem occurs with I/O redirection, and for the same reason,
though there are workarounds for that involving dd and tee.

I've written a system called sudoscript (http://www.egbok.com/sudoscript)
that runs a root shell with sudo and scripts the sessionto a FIFO. A daemon
runs to manage the probably large quantity of information produced by 
script(1).
It's currently not a good solution for multiuser access, but I'm working on 
that.
It also suffers from all the drawbacks of script(1), principally large 
quantities
of garbled output.

This isn't exactly what you are asking for, but it addresses the same 
problem space.

--On Thursday, May 16, 2002 02:38:21 PM -0500 "King, Daniel" 
<Daniel.King at fiserv.com> wrote:

> Hi, folks –
>
> I’ve been using sudo for some time with great success.  However, I’ve now
> got something sudo can’t do.  It’s even addressed in the sudo man page:
> -----
> To make a usage listing of the directories in the /home partition.
> Note that this runs the commands in a sub-shell to make the cd and
> file redirection work.
>
> % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
> -----
>
> I’ve been hacking on osh, but I was wondering if there is a way to give
> read (but not write) access to an entire system, for a single account.
> In the process I’ve written a wrapper shell to handle the issue.  What
> are the issues that might come up with the script below?  Improvements
> (docs, yes … others, maybe)?  Would it be easily done to apply this ksh
> logic to build in an internal ‘shell’ for sudo?  osh looked so promising,
> even if it wasn’t up to the same standard as sudo.  It would bring me
> great satisfaction to do something like:
> $sudo –s
> sudo>cd /etc
> sudo>rvi shadow
> sudo>exit
>
> And, if I could get tab completion, I would simply be in heaven.
>
> Thoughts?  Should I take this to the developer list?  My c-language
> programming is really rusty.
> A. Daniel King, System Analyst
> Fiserv - Atlanta Center
> 1475 Peachtree Street, NE - Suite 700
> Atlanta, GA 30309
> 404-873-2851 x2034
>
> ----- Script begins:
>
># !/usr/bin/ksh
>
># dsh by A. Daniel King; A sudo wrapper or  sudo shell
>
> for x in HUP INT QUIT KILL TERM STOP TSTP CONT
> do
>         trap 'echo You cannot escape.' SIG$x
> done
>
> workingdir=`/usr/bin/pwd`
>
># Here is where the cd code is:
> function execute {
>
>         [ "$1" = "" ] && return
>
>         if [ $1 = "cd" ]
>         then
>                 # Add code for cd here:
>                 export workingdir=`/usr/local/bin/sudo /usr/bin/sh -c "
> cd $workingdir ; $* ; /usr/bin/pwd"`         else
>                 # Run actual commands here:
>                 /usr/local/bin/sudo /usr/bin/sh -c "cd $workingdir ; $*"
>         fi
>
> }
>
> x=""
> while [[ "$x" != "exit" ]]
> do
>         printf "%s>" $workingdir
>         read x
>
>         # Read the command into an array:
>         counter=0
>         max=0
>         for item in $x
>         do
>                 array[$counter]=$item
>                 (( counter = counter + 1 ))
>                 max=$counter
>         done
>
>         # Parse the output for individual commands ...
>         counter=0
>         while (( counter <= max ))
>         do
>                 # If we have a full command, then run it; if not continue
> adding to the command:                 if [[ ( "${array[$counter]}" = ";"
> ) || ( $counter = $max ) ]]                 then
>                         command=$command" "${array[$counter]}
>                         array[$counter]=""
>                         execute $command
>                         command=""
>                 else
>                         command=$command" "${array[$counter]}
>                         array[$counter]=""
>                 fi
>                 (( counter = counter + 1 ))
>         done
>
> done
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users



Howard Owen                      "Even if you are on the right
EGBOK Consultants                 track, you'll get run over if you
hbo at egbok.com    +1-650-339-5733  just sit there." - Will Rogers

More information about the sudo-users mailing list