[sudo-users] Sudo for groups?

Ladner, Eric (Eric.Ladner) Eric.Ladner at chevrontexaco.com
Wed Apr 6 12:38:22 EDT 2005


I think you're in luck.

According to the sudoers man page
(http://www.courtesan.com/sudo/man/sudoers.html):

A User_List is made up of one or more usernames, system groups (prefixed
with '%'), netgroups (prefixed with '+') and other aliases. Each list
item may be prefixed with one or more '!' operators. An odd number of
'!' operators negate the value of the item; an even number just cancel
each other out. 

Eric Ladner, Systems Analyst 
RFMS IT Support

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of
lists at dawes.za.net
Sent: Wednesday, April 06, 2005 5:19 AM
To: sudo-users at courtesan.com
Subject: [sudo-users] Sudo for groups?

Hi folks,

I have a situation that I am trying to correct as best I can.

A company has a legacy application that needs world-writable permissions
on its data files to operate. I think this is bad practice, and am
trying to limit this to group writable for a specific application group.

There are then a couple of possibilities:

1) Add all application users to the application group

2) Use a setuid/setgid wrapper that calls the application.

1) has the disadvantage that the user is then still able to modify the
data files directly.

2) seems to me to be a workable solution.

Trying not to reinvent the wheel (and fall into the same security traps
that everyone else has already climbed out of), I thought that maybe
sudo could let me do this.

One thing that I would like to have, though, is that the userid should
not be changed, just the group. This is because the application checks
the uid when deciding what operations the user should be allowed to
perform.

Were it not for the "own userid" condition, I could just create an
"appuser"
user who is a member of the "appgrp" group, and allow members of the
"appusers"
group to execute /opt/app/bin/app as "appuser".

SetGID directories could even control the permissions and ownership of
spool files . . . 

Is such a thing possible with sudo? I have checked the archives, and saw
a post last year referring to an application called "hat" that set
hardcoded groups.
Unfortunately, it seems to be a private app, and there was no further
discussion on the list.

Ideally, what I would like is something like:

%appusers    ALL = (%appgrp) NOPASSWD: /opt/app/bin/app

Where member of the appusers group would be permitted to run
/opt/app/bin/app with the primary group set to be appgrp, but their UID
still their own.

Any suggestions? Am I out of luck?

I should mention that the platform is Tru64 Unix V40.F and V5.1B, so the
Linuxish alternative of allowing the users to execute /usr/bin/sg appgrp
/opt/app/bin/app is not available. Thinking about it, though, I don't
think that would work anyway, due to the uid issue :-(

Many thanks for any assistance.

Rogan
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws> For list information,
options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users






More information about the sudo-users mailing list