[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Change root> normal user?



James Wilkinson wrote:
Todd Zullinger wrote:
If you use sudo, you don't have to give the user the root password,
you just edit the /etc/sudoers file to allow them to run the
particular command(s) you want and they enter their own password to
run them.

Note: depending on what the program is, this may be equivalent to giving
users the root password. In particular, if there is any way to "shell
out" from the program, or run an external editor, then the user can end
up with a root shell.

I'm also concerned about the man-page paragraph:
       To prevent command spoofing, sudo checks "." and "" (both
       denoting current directory) last when searching for a command in
       the user’s PATH (if one or both are in the PATH).  Note, however,
       that the actual PATH environment variable is not modified and is
       passed unchanged to the program that sudo executes.

I read this as saying that *if* a program runs another program merely by
name (e.g. "hostname" rather than "/bin/hostname"), then a malicious
user could place a symlink to bash from ./hostname, change the PATH
appropriately, and sudo the first program.

In general, simple text-mode programs are OK, complex graphical ones may
well have holes.

James.
In the case in question the user tunes pianos and keeps about 5000
customer names and related information in this computer standing in a corner
of his home office where no one other than himself gets near it! Security
is not a consideration here. He has been using a DOS program for years which I suspect offers little security if any but which has been crippled since year 2000 arrived. I have moved his accounts into mysql which took considerable effort on my part. Now all I want is to create a user situation where he is unlikely to damage the
system inadvertently.

I am working at it but I keep running into glitches where stuff works in a terminal window as user but won't wok with the scripts I created to enable him to start things from xfce task bar icons. But like everything else I do I will eventually muddle through.

I find the stuff received on this mailing list both interesting and invaluable.

Thank you all.

Bob Goodwin Zuni, Virginia


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]