Sudo from scripts

Patrick O'Callaghan pocallaghan at gmail.com
Tue Nov 18 13:45:02 UTC 2008


On Tue, 2008-11-18 at 03:16 +0000, g wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Patrick O'Callaghan wrote:
> 
> > You can do that if you're root. Otherwise you can't. You can do lots of
> > idiotic things as root. What's your point?
> 
> in jerry's comment;
>  'Giving root ownership to a script IMHO is a security issue.'
> led me to believe that ability to do so by normal user was still unchanged.

The ability to do what? Give root ownership to a script? It is
unchanged. Once again: only root can change ownership.

In any case, the owner of the script is only security-relevant in two
cases: 1) if it allows someone to edit the script who normally couldn't,
or 2) if the script is setuid. Of course it could also change who can
*execute* the script, but if it's not setuid they'll be doing it as
themselves, not as the owner.

> having read 'chown(2)' and trying it to see just what occurred, now shows
> me that it has been changed.

What exactly has changed?

> i had hopes that it would be corrected, i have never checked or tried to
> do so. as i have never had reason to do, because if i ever need to do
> something of 'root' level, i have always changed to 'root'.

Meaning you'll be running scripts as root, same as everyone. The only
difference is that you have to supply the root password to get there.
Once past that hurdle, the situation is exactly the same as using
setuid.

poc




More information about the fedora-list mailing list