[sudo-users] env_keep and LD_LIBRARY_PATH
Angelo Primavera
a.primavera at quipo.it
Thu Dec 7 06:04:03 EST 2006
Micheal,
well , I need to define sudo profiles (for instance HELP_DESK) so that a user can run some commands as root, some others as db and some
others else as application user and I want that all commands executed by this user are logged (obviously for security reason the user does
not know root,db and application passwords !). Moreover system administrators does not want to modify what is already up.
I think SUDO is the solution: faster to apply and not intrusive.
The problem is that one of these commands is a database application console that unfortunately requires library located in a non standard path.
Another solution may be to create links for needed library on standard path.... and make administrator to put up with this solution.
Angelo
----- Original Message -----
From: Michael Potter
To: Angelo Primavera
Cc: sudo-users at sudo.ws
Sent: Thursday, December 07, 2006 3:42 AM
Subject: Re: [sudo-users] env_keep and LD_LIBRARY_PATH
Angelo,
I suspect this is the correct one:
Default env_delete-=LD_LIBRARY_PATH
except, Linux is probably reseting LD_LIBRARY_PATH before it runs sudo or any other setuid program.
Tell us more about what you are trying to do:
Why are you trying to run a program as root with libraries in non-standard locations?
One patch to sudo that I think would be easy to do, safe, and useful, would be this:
Default setenv+=LD_LIBRARY_PATH=/usr/lib:/lib:/non/std/but/safe/lib
Todd, can you comment?
As for wrapper scripts being too annoying, how about this:
------------------------
#!/bin/bash
if [[ $SUDO_USER == "" ]]
then
exec sudo $*
exit 1 # exit if exec fails.
fi
# put commands here.
------------------------
That way the wrapper script is also a short cut for running sudo.
That is just a thought; I have not done that. I would be interested in community commenting on security aspects of that.
--
Michael Potter
On 12/6/06, Angelo Primavera <a.primavera at quipo.it> wrote:
Hi all,
I have read some posts about how to keep the LD_LIBRARY_PATH variable and the answer seams to be of two type:
use a command wrapper
use the Default setting for env_delete/env_keep.
I 'm using sudo 1.6.8p12 on Linux redhat 7.3 and I would like to avoid the wrapper ( system user are already annoyed using "sudo" command!) so I've tried each of next options :
Default env_delete-=LD_LIBRARY_PATH
Default env_delete-=LD_*
Default env_keep+=LD_LIBRARY_PATH
Default env_keep+=LD_*
Unfortunately none of them works.
My question is:
env_delete /env_keep options are applicable to LD_LIBRARY_PATH? If yes, what is wrong with my settings?
Thank you in advance
Angelo
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list