Change root> normal user?

Bob Goodwin bobgoodwin at wildblue.net
Wed Sep 20 19:37:23 UTC 2006 

James Wilkinson wrote:
> Todd Zullinger wrote:
>   
>> If you use sudo, you don't have to give the user the root password,
>> you just edit the /etc/sudoers file to allow them to run the
>> particular command(s) you want and they enter their own password to
>> run them.
>>     
>
> Note: depending on what the program is, this may be equivalent to giving
> users the root password. In particular, if there is any way to "shell
> out" from the program, or run an external editor, then the user can end
> up with a root shell.
>
> I'm also concerned about the man-page paragraph:
>        To prevent command spoofing, sudo checks "." and "" (both
>        denoting current directory) last when searching for a command in
>        the user’s PATH (if one or both are in the PATH).  Note, however,
>        that the actual PATH environment variable is not modified and is
>        passed unchanged to the program that sudo executes.
>
> I read this as saying that *if* a program runs another program merely by
> name (e.g. "hostname" rather than "/bin/hostname"), then a malicious
> user could place a symlink to bash from ./hostname, change the PATH
> appropriately, and sudo the first program.
>
> In general, simple text-mode programs are OK, complex graphical ones may
> well have holes.
>
> James.
In the case in question the user tunes pianos and keeps about 5000
customer names and related information in this computer standing in a 
corner
of his home office where no one other than himself gets near it! Security
is not a consideration here. He has been using a DOS program for years 
which I suspect
offers little security if any but which has been crippled since year 
2000 arrived.
I have moved his accounts into mysql which took considerable effort on 
my part.
Now all I want is to create a user situation where he is unlikely to 
damage the
system inadvertently.

I am working at it but I keep running into glitches where stuff works in 
a terminal
window as user but won't wok with the scripts I created to enable him to 
start things
from xfce task bar icons. But like everything else I do I will 
eventually muddle through.

I find the stuff received on this mailing list both interesting and 
invaluable.

Thank you all.

Bob Goodwin Zuni, Virginia

More information about the fedora-list mailing list