[sudo-users] env_keep and LD_LIBRARY_PATH

Angelo Primavera a.primavera at quipo.it
Thu Dec 7 06:04:03 EST 2006 

Micheal,  

well , I need to define sudo profiles (for instance HELP_DESK) so that  a user can run some commands as root, some others as db and some 
others else as application user and I want that all commands executed by this user are logged (obviously for security reason the user does 
not know root,db and application passwords !). Moreover system administrators does not want to modify what is already up.
I think SUDO is  the solution: faster to apply and not intrusive. 
The problem is that one of these commands is a database application console that unfortunately requires library located in a non standard path.

Another solution may be to create links for needed library on standard path.... and make administrator to put up with this solution.

Angelo


  ----- Original Message ----- 
  From: Michael Potter 
  To: Angelo Primavera 
  Cc: sudo-users at sudo.ws 
  Sent: Thursday, December 07, 2006 3:42 AM
  Subject: Re: [sudo-users] env_keep and LD_LIBRARY_PATH


  Angelo,

  I suspect this is the correct one:
  Default env_delete-=LD_LIBRARY_PATH
  except, Linux is probably reseting LD_LIBRARY_PATH before it runs sudo or any other setuid program.

  Tell us more about what you are trying to do: 
  Why are you trying to run a program as root with libraries in non-standard locations?

  One patch to sudo that I think would be easy to do, safe, and useful, would be this:
  Default setenv+=LD_LIBRARY_PATH=/usr/lib:/lib:/non/std/but/safe/lib 

  Todd, can you comment?

  As for wrapper scripts being too annoying, how about this:
  ------------------------
  #!/bin/bash

  if [[ $SUDO_USER == "" ]]
  then
     exec sudo $*
     exit 1 # exit if exec fails. 
  fi

  # put commands here.
  ------------------------

  That way the wrapper script is also a short cut for running sudo.

  That is just a thought; I have not done that.  I would be interested in community commenting on security aspects of that. 

  -- 
  Michael Potter


  On 12/6/06, Angelo Primavera <a.primavera at quipo.it> wrote: 
    Hi all,

    I have read some posts about how to  keep the LD_LIBRARY_PATH variable and the answer seams to be of two type:

        use a command wrapper

        use the Default setting for env_delete/env_keep.



    I 'm using sudo 1.6.8p12 on Linux redhat 7.3 and I would like to avoid the wrapper ( system user are already annoyed  using "sudo" command!) so I've tried each of next options :

        Default env_delete-=LD_LIBRARY_PATH 

        Default env_delete-=LD_*

        Default env_keep+=LD_LIBRARY_PATH

        Default env_keep+=LD_*

    Unfortunately none of them works.



    My question is:

        env_delete /env_keep options are applicable to LD_LIBRARY_PATH? If yes, what is wrong with my settings? 



    Thank you in advance



    Angelo

    ____________________________________________________________
    sudo-users mailing list <sudo-users at sudo.ws>
    For list information, options, or to unsubscribe, visit:
    http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list