[sudo-workers] [sudo-users] Installing Application without fullsudo privilege

Asif Iqbal vadud3 at gmail.com
Fri Feb 13 14:03:39 EST 2009 

On Fri, Feb 13, 2009 at 1:24 PM, Olvera Peralta Edgar Alfredo
<edgar.olvera at bbva.bancomer.com> wrote:
> >From a security point of view that's not recommended. Someone could
> create a malicious script called "root.sh" in any directory and you'd be
> allowing to run it as root. That is a serious risk.

I realized that right after I hit the sent button. So basically even
full path won't help if the user have write access to any
of the parent dir.

So /this/is/the/path/to/the/script.sh can be manipulated if the user
have access to say /this/is/the.

Is there a better way to give sudo priv to a script short of the whole
path and hoping user can't or won't
play with the path?

>
> Regards,
> Edgar Olvera
>
> -----Mensaje original-----
> De: sudo-workers-bounces at courtesan.com
> [mailto:sudo-workers-bounces at courtesan.com] En nombre de Asif Iqbal
> Enviado el: Viernes, 13 de Febrero de 2009 11:17 a.m.
> Para: Makarand Dongare
> CC: sudo-users at sudo.ws; sudo-workers at sudo.ws
> Asunto: Re: [sudo-workers] [sudo-users] Installing Application without
> fullsudo privilege
>
> On Fri, Feb 13, 2009 at 11:43 AM, Makarand Dongare <mmdongare at gmail.com>
> wrote:
>> First thing is that Oracle does not need to be installed as root.
>> There are couple of scripts that need to be run as rootpre.sh or
>> root.sh. Once you do that for app team, they do not need root access
>> for anything.
>> If you want to give them root access to run those scripts then give it
> as below:
>>
>> oracle servername=(root) full-path-for-command
>
> What if the path name is differnet for different env? Can I do it like
> this /*/root.sh for path?
>
>>
>> Hope this helps.
>>
>> Makarand Dongare
>>
>>
>> On 2/13/09, Asif Iqbal <vadud3 at gmail.com> wrote:
>>> Hi All
>>>
>>> My application team needs to install Oracle on hosts. They are asking
>>> for full sudo privilege, so that they can install app as root.
>>>
>>> Is there a lesser privilege that you can suggest then
>>>   user ALL=(ALL) ALL
>>>
>>> Thanks
>>>
>>> --
>>> Asif Iqbal
>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>>> A: Because it messes up the order in which people normally read text.
>>> Q: Why is top-posting such a bad thing?
>>> ____________________________________________________________
>>> sudo-users mailing list <sudo-users at sudo.ws>
>>> For list information, options, or to unsubscribe, visit:
>>> http://www.sudo.ws/mailman/listinfo/sudo-users
>>>
>>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-workers
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-workers
>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

More information about the sudo-workers mailing list