[sudo-workers] expansion in filenames
davidleothomas at gmail.com
Thu Apr 28 16:49:30 EDT 2011
I've a goal in mind, and a proposed extension which will put it within
reach. I welcome comments if 1) there's already an easy (enough) path
to my goal, 2) it's really not a good idea in the first place, or 3)
someone's already working on a comparable extension. Otherwise, I'll
see about putting together a patch in the next few days.
My goal is to allow a user to grant other users the ability to run
something as them in a controlled way without intervention from the
system administrator. This way, I can grant another user controlled
access to resources I control. Setuid is a partial solution, but
setuid scripts are generally insecure, perl-setuid is on the way out,
and (most importantly) a setuid application can still return to its
real UID so I must trust the person whose resources I intend to access
not to abuse my permissions.
So, my thought is to apply the escape sequence expansions permissible
in the password prompt to filenames, allowing something like:
ALL ALL=(ALL) /home/%U/blessed/%u/*
This would allow me to grant, say, steve the ability to run
dosomething.sh as me by putting the script in ~/blessed/steve/,
something which really should be between steve and I and not need the
blessing of the sysadmin in each individual case.
More information about the sudo-workers