[sudo-users] [sudo-workers] Installing Application without fullsudo privilege

Russell Van Tassell russell+sudo-users at loosenut.com
Fri Feb 13 14:44:22 EST 2009 

Well, the more specific (deeper in the tree) you can specify, the
better.  Myself, I have more of a tendancy to just use aliases and then
use a list of absolute paths where users don't have write access.

In your first example, of course, /tmp/root.sh would also work (which I
think you realized "right after you hit send").

As someone else said, as far as I know, there's pretty much NO reason to
give Oracle users "root" once you do the install for them.  Chances are
you can just give them "oracle" and you're set (think that's what I've
always done in the past, anyway, and it's worked fine).

For those few incidents if/when they think they need root (don't think
they do), they could come to me (or the admin team) and we could "fix
it" for them...  or add another very-specific-condition where they get
root.

Hope that helps...
Russell

On Fri, Feb 13, 2009 at 02:03:39PM -0500, Asif Iqbal wrote:
> On Fri, Feb 13, 2009 at 1:24 PM, Olvera Peralta Edgar Alfredo
> <edgar.olvera at bbva.bancomer.com> wrote:
> > >From a security point of view that's not recommended. Someone could
> > create a malicious script called "root.sh" in any directory and you'd be
> > allowing to run it as root. That is a serious risk.
> 
> I realized that right after I hit the sent button. So basically even
> full path won't help if the user have write access to any
> of the parent dir.
> 
> So /this/is/the/path/to/the/script.sh can be manipulated if the user
> have access to say /this/is/the.
> 
> Is there a better way to give sudo priv to a script short of the whole
> path and hoping user can't or won't
> play with the path?
> 
> > -----Mensaje original-----
> >
> > What if the path name is differnet for different env? Can I do it like
> > this /*/root.sh for path?

-- 
Russell M. Van Tassell
russell at loosenut.com

"No one is useless in this world who lightens the burdens of another."
                                                       - Charles Dickens

More information about the sudo-users mailing list