[sudo-users] (Hopefully) quick policy question

[Mihai Moldovan]

* On 9/26/23 16:59, Jore wrote:
> Okay, to consider that approach, do you have any resources for what 
> might be good start for that? As it stands, I don't really know how to 
> approach calling a bash script inside a bash script as root safely.

Nothing written down, but the concept is so easy that I hardly expect it to be
part of any resource.

If you want to call acme.sh and only allow specific parameters passed to it,
create a script such as acme-wrapper.sh (using any POSIX-compatible shell should
do), which parses the arguments (either fully manually by iterating over "${@}"
or using helpers such as "getopts") and either errors out if it sees something
unexpected or eventually calls acme.sh (preferably with a hardcoded, read-only
location).

Within sudo, you'll only need to make acme-wrapper.sh executable as a different
user, since executing something else will retain privileges, unless they are
explicitly dropped.



The real magic happens in the wrapper, but what it does is completely your
responsibility and must also be tailored to your needs, which, likewise means
that there's no "one size fits all" solution.



Mihai
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://www.sudo.ws/pipermail/sudo-users/attachments/20230926/ede877a9/attachment.bin>