[sudo-users] One logic, two results
Vladimir A. Pavlov
pv4 at bk.ru
Sat Jul 1 12:42:37 EDT 2006
Hi, all!
I try to create a secure linux system and sudo is supposed to help me in
doing so.
But when running/configuring sudo I have a problem with certain
folders/files permissions.
I have the following hierarchy which seems to be secure enough for the
purposes it would be used for
rwxr-xr-x root:root /
rwx--x--x root:root /folder1/
rwx--x--- root:group /folder1/folder2/
rwx--x--- root:group /folder1/folder2/prog
Then I'd like to execute the prog upon system start as follows
sudo -u user /folder1/folder2/prog
To accomplish this I
1. added user "user" to group "group"
2. created the following /etc/sudoers (note, it contains _only_ this
record):
root localhost = (user) /folder1/folder2/prog
And... when running the command mentioned above I got "Sorry, user root
is not allowed to execute '/folder1/folder2/prog' as user on
localhost."
Note please that both "root" and "user" can execute the command simply
from the bash prompt because
a) it's executable by "root" and belongs to it
b) it's executable by "user" 's group (which is "group")
c) I checked this :)
Then I found two different ways to solve the problem (you can use
_either_ the first or the second one):
1. add "root" to group "group"
OR
2. replace the shown record in /etc/sudoers with this one
root localhost = (user) ALL
The latter way is rather stupid because in this case "root" can run any
command as "user" whereas in the case of original /etc/sudoers it could
run only the command it was really needed.
Logically both /etc/sudoers files are _similar_ while the results they
give are quite opposite.
So,
1. is it a sudo's bug or do I misunderstand something?
2. if it's my fault, can you please recommend me a way to solve the
problem (for example, tell me please which of the found ways is a
"standard" one).
btw, I use sudo-1.6.8p12.
--
Nothing but perfection
pv
More information about the sudo-users
mailing list