Change root> normal user?
Bob Goodwin
bobgoodwin at wildblue.net
Wed Sep 20 19:37:23 UTC 2006
James Wilkinson wrote:
> Todd Zullinger wrote:
>
>> If you use sudo, you don't have to give the user the root password,
>> you just edit the /etc/sudoers file to allow them to run the
>> particular command(s) you want and they enter their own password to
>> run them.
>>
>
> Note: depending on what the program is, this may be equivalent to giving
> users the root password. In particular, if there is any way to "shell
> out" from the program, or run an external editor, then the user can end
> up with a root shell.
>
> I'm also concerned about the man-page paragraph:
> To prevent command spoofing, sudo checks "." and "" (both
> denoting current directory) last when searching for a command in
> the user’s PATH (if one or both are in the PATH). Note, however,
> that the actual PATH environment variable is not modified and is
> passed unchanged to the program that sudo executes.
>
> I read this as saying that *if* a program runs another program merely by
> name (e.g. "hostname" rather than "/bin/hostname"), then a malicious
> user could place a symlink to bash from ./hostname, change the PATH
> appropriately, and sudo the first program.
>
> In general, simple text-mode programs are OK, complex graphical ones may
> well have holes.
>
> James.
In the case in question the user tunes pianos and keeps about 5000
customer names and related information in this computer standing in a
corner
of his home office where no one other than himself gets near it! Security
is not a consideration here. He has been using a DOS program for years
which I suspect
offers little security if any but which has been crippled since year
2000 arrived.
I have moved his accounts into mysql which took considerable effort on
my part.
Now all I want is to create a user situation where he is unlikely to
damage the
system inadvertently.
I am working at it but I keep running into glitches where stuff works in
a terminal
window as user but won't wok with the scripts I created to enable him to
start things
from xfce task bar icons. But like everything else I do I will
eventually muddle through.
I find the stuff received on this mailing list both interesting and
invaluable.
Thank you all.
Bob Goodwin Zuni, Virginia
More information about the fedora-list
mailing list