problem retaining username
mlh at zip.com.au
Sun Sep 8 03:33:49 EDT 2002
Andrew Solomon wrote:
> andrews machname=/bin/timestamp.sh !set_logname
> I get the message
> Sorry, user andrews is not allowed to execute '/bin/timestamp.sh'
> as root on machname.it.uts.edu.au.
Maybe the problem is that you've specified the machine name
but sudo gets the fqdn. Try the same thing as
andrews ALL=/bin/timestamp.sh !set_logname
> What am I doing wrong?
> 2) If I *were* able to execute /bin/timestamp.sh
> as root but with $USER unchanged by sudo, I would worry that
> the person executing
> sudo /bin/timestamp.sh
> had tampered with their $USER variable. Is there any way of ensuring
> this had not been done?
Use SUDO_USER instead. Or abort if USER != SUDO_USER.
Sanitise check $USER before checking it; you don't want
to trapped by someone setting USER to "`chmod a+w /etc/passwd`"
(Not sure how to do this in shell safely -- would have to
give it a bit of thought.)
PS. How's it going Andrew?
More information about the sudo-users