[sudo-users] One logic, two results
Galen Johnson
Galen.Johnson at sas.com
Sun Jul 2 11:02:03 EDT 2006
Why try to use sudo for this? If it's a command that is run upon start up (root can do anything as anyone without the need for sudo), just do this:
su - user -c "/folder1/folder2/prog"
However, if it's a longterm process you may want to nohup it and redirect it's output.
=G=
-----Original Message-----
From: sudo-users-bounces at courtesan.com on behalf of Vladimir A. Pavlov
Sent: Sat 7/1/2006 12:42 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] One logic, two results
Hi, all!
I try to create a secure linux system and sudo is supposed to help me in
doing so.
But when running/configuring sudo I have a problem with certain
folders/files permissions.
I have the following hierarchy which seems to be secure enough for the
purposes it would be used for
rwxr-xr-x root:root /
rwx--x--x root:root /folder1/
rwx--x--- root:group /folder1/folder2/
rwx--x--- root:group /folder1/folder2/prog
Then I'd like to execute the prog upon system start as follows
sudo -u user /folder1/folder2/prog
To accomplish this I
1. added user "user" to group "group"
2. created the following /etc/sudoers (note, it contains _only_ this
record):
root localhost = (user) /folder1/folder2/prog
And... when running the command mentioned above I got "Sorry, user root
is not allowed to execute '/folder1/folder2/prog' as user on
localhost."
Note please that both "root" and "user" can execute the command simply
from the bash prompt because
a) it's executable by "root" and belongs to it
b) it's executable by "user" 's group (which is "group")
c) I checked this :)
Then I found two different ways to solve the problem (you can use
_either_ the first or the second one):
1. add "root" to group "group"
OR
2. replace the shown record in /etc/sudoers with this one
root localhost = (user) ALL
The latter way is rather stupid because in this case "root" can run any
command as "user" whereas in the case of original /etc/sudoers it could
run only the command it was really needed.
Logically both /etc/sudoers files are _similar_ while the results they
give are quite opposite.
So,
1. is it a sudo's bug or do I misunderstand something?
2. if it's my fault, can you please recommend me a way to solve the
problem (for example, tell me please which of the found ways is a
"standard" one).
btw, I use sudo-1.6.8p12.
--
Nothing but perfection
pv
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list