[sudo-users] best way to user sudo for a long running back group process
Maarten de Vries
maarten at de-vri.es
Sat Mar 17 05:32:04 MDT 2018
On 16 March 2018 at 22:47, Davis Roman <davis.roman84 at gmail.com> wrote:
> hello,
>
> I have a daemon called powermanager running as the non-root user, power.
>
> In /etc/sudoers.d/power, I have the following:
> power ALL=(ALL) NOPASSWD: ALL
>
> I know that the above statement essentially gives the powermanager
> process root priveleges
> however, in the future, I'd like to have the option to enforce that
> certain commands/files not be used.
> My understanding is that the sudoers file would be the place to place
> these rules.
> ( ie: disable ability to open file /dev/foobar )
>
Blacklisting commands will never be a secure policy. It can easily be
bypassed by other programs that allow the user to execute arbitrary
commands. There are many of those programs, and even if there weren't,
anyone can create or rename an executable to do whatever they want. Since
it is a new command, it would not be blacklisted.
The only way to securely allow your daemon to perform some tasks with
elevated privileges is to whitelist exactly those things it has to do. And
even then you should be careful not to accidentally whitelist too much, or
whitelist something that allows executing other commands.
-- Maarten
More information about the sudo-users
mailing list