[sudo-users] One logic, two results

Galen Johnson Galen.Johnson at sas.com
Sun Jul 2 11:02:03 EDT 2006 

Why try to use sudo for this?  If it's a command that is run upon start up (root can do anything as anyone without the need for sudo), just do this:

su - user -c "/folder1/folder2/prog"

However, if it's a longterm process you may want to nohup it and redirect it's output.

=G=

-----Original Message-----
From: sudo-users-bounces at courtesan.com on behalf of Vladimir A. Pavlov
Sent: Sat 7/1/2006 12:42 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] One logic, two results
 
Hi, all!

I try to create a secure linux system and sudo is supposed to help me in 
doing so.

But when running/configuring sudo I have a problem with certain 
folders/files permissions.

I have the following hierarchy which seems to be secure enough for the 
purposes it would be used for
rwxr-xr-x		root:root		/
rwx--x--x		root:root		/folder1/
rwx--x---		root:group		/folder1/folder2/
rwx--x---		root:group		/folder1/folder2/prog

Then I'd like to execute the prog upon system start as follows
sudo -u user /folder1/folder2/prog

To accomplish this I
1. added user "user" to group "group"
2. created the following /etc/sudoers (note, it contains _only_ this 
record):

root	localhost = (user) /folder1/folder2/prog

And... when running the command mentioned above I got "Sorry, user root 
is not allowed to execute '/folder1/folder2/prog' as user on 
localhost."

Note please that both "root" and "user" can execute the command simply 
from the bash prompt because 
a) it's executable by "root" and belongs to it
b) it's executable by "user" 's group (which is "group")
c) I checked this :)

Then I found two different ways to solve the problem (you can use 
_either_ the first or the second one):
1. add "root" to group "group"
OR
2. replace the shown record in /etc/sudoers with this one

root	localhost = (user) ALL

The latter way is rather stupid because in this case "root" can run any 
command as "user" whereas in the case of original /etc/sudoers it could 
run only the command it was really needed.

Logically both /etc/sudoers files are _similar_ while the results they 
give are quite opposite.

So,
1. is it a sudo's bug or do I misunderstand something?
2. if it's my fault, can you please recommend me a way to solve the 
problem (for example, tell me please which of the found ways is a 
"standard" one).

btw, I use sudo-1.6.8p12.

-- 
Nothing but perfection
pv
____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list