[sudo-users] running a script in a specific directory as root

Tue May 4 05:52:19 EDT 2010

There is a bigger problem here.  If you write the rule with a wildcard finish, your users could issue:-
	sudo sh /net/common/installation/../../../usr/bin/shutdown

Probably better to script up what they are allowed to do and call that script with sudo.  You can be prescriptive with your rules so they can run the script only and you can then control what actually gets called.

Robin,
Unisys,
Liverpool

-----Original Message-----
From: larry prikockis [mailto:lprikockis at vecna.com] 
Sent: 30 April 2010 04:18
To: sudo-users at sudo.ws
Subject: [sudo-users] running a script in a specific directory as root

I have a need for users to be able to run certain scripts located in subdirectories of /net/common (e.g.,
/net/common/installation/test/myScript.sh) as root using sudo.

by adding a line like:

bob	ALL=/bin/sh /net/common/installation/*

to sudoers

Bob can log in, and execute 'sudo sh
/net/common/installation/test/myScript.sh' with no problem.

However, is there a way to all Bob to simply change to the /net/common/installation/test directory and then execute:

'sudo ./myScript.sh' without specifying the full path?

Obviously, I don't want to simply allow users to run e.g., "myScript.sh"
from any directory as root since then there would be no way to prevent someone from creating a script called "myScript.sh" that contained commands I *don't* want a user running as root.

The idea is that most users have only read access to
/net/common/installation/*

Any thoughts on how to make it less cumbersome for users (i.e., not requiring them to type the full path when they're already in the same directory as the script) while still retaining control over the location of the script being executed with root privs.?

thanks for any help...

--
Larry J. Prikockis
System Administrator
240-965-4597 (direct)
lprikockis at vecna.com
www.vecna.com

Vecna Technologies, Inc.
6404 Ivy Lane
Suite 500
Greenbelt, MD 20770
Phone: 240-965-4500
Fax: 240-547-6133
Better Technology, Better World (TM)

The contents of this message may be privileged and confidential.
Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author.

***********************************

This email is sent in confidence for the addressee only.

Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by returning the original email to us without reading it, taking a copy or disclosing it to anyone else. Please also destroy and delete the email from your computer.

We have taken reasonable precautions to ensure that no viruses are transmitted to any third party. Unisys Insurance Services Limited does not accept any responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents.

Unisys Insurance Services Limited is authorised and regulated by the Financial Services Authority, is a member of the UNISYS group of companies and provides outsourcing services to the Financial Services Industry

Unisys Insurance Services Limited Registered in England No. 4087012
Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG