Hacking sudoers

[Bob Proulx]

Steffan A. Cline wrote:
> This would need to have the s bit set on it right?

Yes, the same as sudo which also needs an suid bit set.  It would need
to be suid to the user you wish to run the command, which may not be
root and preferably would not be.  Or set-group-id to a group which
has permission, which would be more preferable since this has less
permission.

> Could this be done inside of a dylib that is loaded into Lasso? I
> didn't think it was possible. That is why I have been fooling with
> sudo.

I am not familiar with Lasso, sorry.  But no I don't think it is
possible to use a dynamic library directly.  It could of course call
a suid program.  But it cannot escalate its privilege level
otherwise.

In another message:
> The fact that sudo authenticates the user and the password is ideal.

Not being knowledgeable about Lasso or other web environments I can't
deduce how you are going to do this.  But maybe someone else on the
list will know so I am just going to ask some silly questions.  How
are you going to authenticate a user?  Even with a PAM module this
sounds inconvenient.  Being an httpd environment means there won't be
a tty to interactively query the user.  So I would assume that all
authentification would need to be done by the httpd prior to the web
script running any commands.  The security would seem to need to be
not in sudo at this point but in the httpd/Lasso script which called
it?

Bob