[sudo-users] sudo and groups
Timo Wendt
twendt at online.de
Wed Apr 26 01:41:47 EDT 2006
Yes, ls works fine. But then the command to run is "ls". I think that
the problem sems to be that sudo checks to see if the command exists
before it rtries to run the command. Maybe the gid is not changed at
that time? It is actually possible to run it as root instead of timo.
So the gid must be changed when run as root. I did have a look at the
source code and saw that there are different functions for running as
root and for running as runas-User. I didn't figure out though what
the problem is. I am not a C expert.
Gruß,
Timo Wendt
ACHTUNG: Meine Email-Adresse hat sich von Timo at Schnibbe.net in
Timo at TJWendt.de geändert.
Am 21.04.2006 um 14:53 schrieb Galen Johnson:
> If you change that ID to allow all commands, can you get an ls on
> that directory? What is the exact error being logged in syslog (or
> wherever you have it logging to)? Are there any contradictory
> allowances for that user?
>
> =G=
>
> -----Original Message-----
> From: Timo Wendt [mailto:twendt at online.de]
> Sent: Thursday, April 20, 2006 4:14 PM
> To: Galen Johnson
> Cc: sudo-users at sudo.ws
> Subject: Re: [sudo-users] sudo and groups
>
> It is no typo. I want to allow timo1 to run the command as timo. I
> don't need to allow timo to run the command as himself. In production
> I would use the following of course:
>
> timo1 ALL= (timo) NOPASSWD: /tmp/dir1/dir2/cmd
>
> I only used ALL to be able to try it with root as well.
>
> Am 20.04.2006 um 22:09 schrieb Galen Johnson:
>
>> Fair enough...is timo1 a typo or an alias? If a typo, I'd change
>> that to timo and see if that works.
>>
>> =G=
>>
>> -----Original Message-----
>> From: Timo Wendt [mailto:twendt at online.de]
>> Sent: Thursday, April 20, 2006 3:48 PM
>> To: Galen Johnson
>> Cc: sudo-users at sudo.ws
>> Subject: Re: [sudo-users] sudo and groups
>>
>> User timo does have execute persmissions, its his own file and
>> permissions are 740. dir2 is also hos own and therefore no problem.
>> Due to his primary group shadow dir1 is also no problem. And all this
>> works as designed without sudo if timo executes the command. Here is
>> my sudoers entry:
>>
>> timo1 ALL= (ALL) NOPASSWD: /tmp/dir1/dir2/cmd
>>
>> It actually works fine if he tries to execute this as root by
>> running: sudo /tmp/dir1/dir2/cmd
>>
>>
>>
>> Am 20.04.2006 um 21:38 schrieb Galen Johnson:
>>
>>> I doubt this is a sudo problem...this is a unix permission
>>> problem. Chmod dir2 to 750 and the command to 750...in order to
>>> traverse a directory, you have to have execute privs on it. I'm
>>> surprised it works at all. Of course, it would help to see the
>>> related sudoers entry for the user and command in question.
>>>
>>> =G=
>>>
>>> -----Original Message-----
>>> From: sudo-users-bounces at courtesan.com [mailto:sudo-users-
>>> bounces at courtesan.com] On Behalf Of Timo Wendt
>>> Sent: Thursday, April 20, 2006 1:53 PM
>>> To: sudo-users at sudo.ws
>>> Subject: [sudo-users] sudo and groups
>>>
>>> Hi,
>>>
>>> I have the following setup:
>>>
>>> drwxr-x--- 3 root shadow 4096 20. Apr 19:31 dir1
>>>
>>> tmp/dir1:
>>> insgesamt 4
>>> drwxr----- 2 timo shadow 4096 20. Apr 19:32 dir2
>>>
>>> tmp/dir1/dir2:
>>> insgesamt 4
>>> -rwxr----- 1 timo shadow 13 20. Apr 19:32 cmd
>>>
>>> Now I allowed a user timo1 to run cmd as user timo. User timo has
>>> group shadow as his primary group. It doesn't work. It is possble
>>> though to run the command when logging in as user timo. Somehow sudo
>>> doesn't recognize that user timo has shadow as its primary group and
>>> therefore the problem is dir1. As soon as I set 755 on it, it works.
>>>
>>> Is this supposed to be like that or is there any option to use?
>>>
>>> Timo
>>> ____________________________________________________________
>>> sudo-users mailing list <sudo-users at sudo.ws>
>>> For list information, options, or to unsubscribe, visit:
>>> http://www.sudo.ws/mailman/listinfo/sudo-users
>>
>
More information about the sudo-users
mailing list