Re: VI wrapper for SUDO? - another bad way ??
Alvin Oga writes:
>if that sh script is called sucpaliases...
>you cannot(should not) put "sudo sucpaliases" inside of it
> - infinite recursion...
Of course not. The script I wrote is "editaliases" and inside that
script, your "sucpaliases" is called.
>-- another simpler way is to make /etc/aliases group writable
> and newaliases for sudo by certain users
> -- good and bad idea..
>
>-- and you can put /etc/aliases into cvs control tooo
These ideas are OK for some things, not for others. Sendmail is picky
about the ownership and permissions on certain files.
>-- c code is subject to buffer overflow problems...
>-- scripts are susceptable to environment variables changing...
Right - but I think the former is easier to thwart. Don't most Linux
systems prohibit setuid shell scripts, for example?
>-- in either case... you have to trust your users that run the
> scripts/apps to replace /etc/aliases w/o giving um root access
Of course, the idea is to give certain permissions to certain users
without giving away the farm. That's what sudo's all about.
--Bill.
--
William R Ward bill@wards.net http://www.wards.net/~bill/
-----------------------------------------------------------------------------
If you're not part of the solution, you're part of the precipitate.
Reply to: