Problem of install tarball packages
Nifty Fedora Mitch
niftyfedora at niftyegg.com
Mon Sep 29 06:20:57 UTC 2008
On Fri, Sep 26, 2008 at 10:31:46AM -0700, Aldo Foot wrote:
> On Fri, Sep 26, 2008 at 10:13 AM, Craig White <craigwhite at azapple.com> wrote:
> > On Sat, 2008-09-27 at 01:10 +0800, edwardspl at ita.org.mo wrote:
> >> Aldo Foot wrote:
> >>
> >> >On Fri, Sep 26, 2008 at 9:34 AM, <edwardspl at ita.org.mo> wrote:
> >> >
> >> >
> >> >>Dear All,
> >> >>
> >> >>How to config the sudo, then allow user A to install tarball packages with FC8 System ?
> >> >>
> >> >>
> >>
> >> >You use the 'visudo' command to edit the /etc/sudoers files.
> >> >Don't edit that file directly.
> >> >
> >> >see this /etc/sudoers sample
> >> >http://www.gratisoft.us/sudo/sample.sudoers
> >> >
> >> >'rpm' is just another command you add to the allowed commands.
> >> >so for example a the CLI: "sudo rpm -Uvh someRpm.rpm',
> >> >
> >> >~af
> >> >
> >> >
> >> >
> >> Hello Aldo,
> >>
> >> Sorry, my means is tarball packages ( NOT rpm packages )...
> > ----
> > users don't need superuser privileges to use tar at all UNLESS they are
> > trying to 'untar' into spaces where only superuser can write, in which
> > case, security is out the window.
> >
> > Craig
>
> You're correct. How did I mix rpm and tar? My coffee was not strong
> enough this morning.. ;-)
And the same security issue exists for yum, rpm and cpio.
If I can run "sudo `rpm -Uvh anything" I can install
anything I want including a new pass word file, bogus user
or other backdoor.
--
T o m M i t c h e l l
Found me a new hat, now what?
More information about the fedora-list
mailing list