[Gllug] sudo query

Vincent AE Scott gllug at codex.net
Tue Feb 5 16:08:24 UTC 2002 

Bruce Richardson(itsbruce at uklinux.net)@Tue, Feb 05, 2002 at 03:40:46PM +0000:
> 
> 
> >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
> 
> On 2/5/02, 3:17:28 PM, Vincent AE Scott <gllug at codex.net> wrote regarding 
> [Gllug] sudo query:
> 
> 
> > i have a program that i want to use with sudo, the command can only be
> > run by a defined user in /etc/sudoers.  this works up till a point.  The
> > program thats started attempts to create a file in the real users $HOME.
> > This fails, as sudo does setuid(), and so the program no longer his
> > permission to write there.
> 
> > So the question is, how do i get sudo to use the home directory of the
> > users its supposed to be running as?  I've tried running sudo -H, but
> > thats makes no difference.  any ideas y'all?
> 
> Yes, actually.  Obviously you can't access the real user's home directory 
> because the user sudo is switching to has no rights to the home directory. So
> So
> 
> 1.  Write a a script something like this
> 
> #!/bin/bash
> #
> # /usr/local/bin/doforuser
> 
> touch /home/$1/filename
> dowhateveritwas
> 
> 2.  Give the user that this sudo command runs as the right to run this 
> script as any user in a group that you specify.
> 
> 3.  Modify your current script/program so that it takes the username of 
> the real user as a parameter (or find some way to get that info - does 
> sudo put it in an environmental variable?).
> 
> 4.  Have your current script run
> 
> /usr/local/bin/doforuser $username
> 
> 
> So you, as a user, run the sudo-ed program which, when it needs to do 
> stuff in your home directory, runs a script sudo-ed as you.
> 
> You need to be careful how you set this up to avoid abuse (make sure that 
> it's not possible to log in as the special user etc)
> 


hmm, tricky, that wasnt quite what i wanted todo.  the file in question
is created in ~/tmp/ using mkstemp.  so there's no real way of knowing
what the file name is going to be.  and i dont really want to make tmp
777.

hmmm, maybe i'll have to modify the program thats being run instead.
 
-- 
PGP key:  http://codex.net/pgp/pgp.asc

 Smash forehead on keyboard to continue... 


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list