[sudo-workers] expansion in filenames

Avram Lubkin avram at avram.us
Fri Apr 29 12:45:20 EDT 2011


Something like that would be a bad idea. In short, you'd undermine the
security of the user separation. You have separate accounts specifically so
each user runs programs in their own context. Also, it could be exploited.
For instance, if the file permissions on the script or the script itself
weren't setup correctly, it would be trivial to allow the other user to do
anything in the context of the original user.


> Message: 1
> Date: Thu, 28 Apr 2011 13:49:30 -0700
> From: David Thomas <davidleothomas at gmail.com>
> To: sudo-workers at sudo.ws
> Subject: [sudo-workers] expansion in filenames
> Message-ID: <BANLkTinVWoC5gBYmdTcV4zMLuYhcFYM=iw at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi list,
>
> I've a goal in mind, and a proposed extension which will put it within
> reach.  I welcome comments if 1) there's already an easy (enough) path
> to my goal, 2) it's really not a good idea in the first place, or 3)
> someone's already working on a comparable extension. Otherwise, I'll
> see about putting together a patch in the next few days.
>
> My goal is to allow a user to grant other users the ability to run
> something as them in a controlled way without intervention from the
> system administrator. This way, I can grant another user controlled
> access to resources I control.  Setuid is a partial solution, but
> setuid scripts are generally insecure, perl-setuid is on the way out,
> and (most importantly) a setuid application can still return to its
> real UID so I must trust the person whose resources I intend to access
> not to abuse my permissions.
>
> So, my thought is to apply the escape sequence expansions permissible
> in the password prompt to filenames, allowing something like:
>
> ALL  ALL=(ALL) /home/%U/blessed/%u/*
>
> This would allow me to grant, say, steve the ability to run
> dosomething.sh as me by putting the script in ~/blessed/steve/,
> something which really should be between steve and I and not need the
> blessing of the sysadmin in each individual case.
>
> Thoughts?
>
>
> ------------------------------
>
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-workers
>
> End of sudo-workers Digest, Vol 78, Issue 5
> *******************************************
>



More information about the sudo-workers mailing list