[sudo-users] Installing Application without full sudo privilege

Matthew Hannigan mlh at zip.com.au
Sun Feb 15 20:57:28 EST 2009 

On Fri, Feb 13, 2009 at 12:16:11PM -0800, Russell Van Tassell wrote:
> 
> [Removing sudo-workers, again, as this isn't a "code" issue]
> 
> On Fri, Feb 13, 2009 at 02:57:38PM -0500, Asif Iqbal wrote:
> > On Fri, Feb 13, 2009 at 2:56 PM, Makarand Dongare <mmdongare at gmail.com> wrote:
> > > Just use root.sh without complete path as the oracle dba will need to
> > > cd to the path and run as sudo ./root.sh. This way it should work
> > > fine.
> > 
> > very good idea !!
> 
> Not sure I understand what you're getting at, here... but you'll still
> need the absolute path in the sudoers file, AFAIK.
> 
> Getting back to the alias idea, I generally create Cmnd_Aliases in the
> sudoers file for "all" the paths they'll ever need.  So, in the current
> example, I'd do something such as:
> 
> Host_Alias NET_10_8       =	10.0.0.0/255.0.0.0
> User_Alias ORACLE_ADMIN   =	%oracle
> Cmnd_Alias ORACLE_ROOT_SH =	/opt/oracle/bin/root.sh, \
> 				/usr/local/oracle/bin/root.sh
> 
> ORACLE_ADMIN NET_10_8 = (oracle) ORACLE_ROOT_SH

This is better but implies you (the sysadmin) will have to maintain root.sh.
That implies reviewing it and possibly reinstalling for every new version of
Oracle at least.  You might need multiple versions.

Even then it will give you a false sense of security.  I can see
a few places in root.sh that could be exploited to give the
person who runs it extra privileges.  It uses backticks and unquoted
variables as well as trusting its environment to a scertain degree.
It also invokes non-root owned sub programs.

You probably have to rewrite it partly to make it secure and yet make it
compatible enough with the vendor version.  This is a significant
responsibility for the sysadmin!

The proper solution to this mess is to have Oracle simplify and improve their
installation procedure.

Currently either sysadmin has to trust their DBA (at least for the duration
of the install) or the sysadmin has to run root.sh for them.  Even here the
sysadmin has to eyeball the script and check his environment and the programs
it calls in turn beforehand.

More information about the sudo-users mailing list