[sudo-users] Sudo for groups?
lists at dawes.za.net
lists at dawes.za.net
Wed Apr 6 06:19:15 EDT 2005
I have a situation that I am trying to correct as best I can.
A company has a legacy application that needs world-writable permissions on its
data files to operate. I think this is bad practice, and am trying to limit
this to group writable for a specific application group.
There are then a couple of possibilities:
1) Add all application users to the application group
2) Use a setuid/setgid wrapper that calls the application.
1) has the disadvantage that the user is then still able to modify the data
2) seems to me to be a workable solution.
Trying not to reinvent the wheel (and fall into the same security traps that
everyone else has already climbed out of), I thought that maybe sudo could let
me do this.
One thing that I would like to have, though, is that the userid should not be
changed, just the group. This is because the application checks the uid when
deciding what operations the user should be allowed to perform.
Were it not for the "own userid" condition, I could just create an "appuser"
user who is a member of the "appgrp" group, and allow members of the "appusers"
group to execute /opt/app/bin/app as "appuser".
SetGID directories could even control the permissions and ownership of spool
files . . .
Is such a thing possible with sudo? I have checked the archives, and saw a post
last year referring to an application called "hat" that set hardcoded groups.
Unfortunately, it seems to be a private app, and there was no further
discussion on the list.
Ideally, what I would like is something like:
%appusers ALL = (%appgrp) NOPASSWD: /opt/app/bin/app
Where member of the appusers group would be permitted to run /opt/app/bin/app
with the primary group set to be appgrp, but their UID still their own.
Any suggestions? Am I out of luck?
I should mention that the platform is Tru64 Unix V40.F and V5.1B, so the
Linuxish alternative of allowing the users to execute /usr/bin/sg appgrp
/opt/app/bin/app is not available. Thinking about it, though, I don't think
that would work anyway, due to the uid issue :-(
Many thanks for any assistance.
More information about the sudo-users