[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: forcing a shell script to run a specific user?



In the "slightly more obscure, not really pretty" ways to do stuff, you could
do most of what you want using something like webmin and some real simple
perl/LWP stuff.  That's one of the ways I've been keeping the machines in
my lab in sync.  The other involves making a group that's capable of restarting
stuff and whatnot, using a wrapper that's marginally similar to Steve's.

--Danny

On Sat, Aug 05, 2000 at 11:58:23PM -0500, Charles Menzes wrote:
> thanks, sudo was my other option, but i am not certain whether or not it
> will fit my needs. currently, every time i have seen sudo implemented, i
> am prompted for a password.
> i am setting up a model for lunar that will allow a main machine to update
> configuration files on a remote server, and then restart a service using
> ssh. the config files would be updated through rsync using ssh as
> transport, and then i am hoping for example, to be able to restart, say
> dns, by issueing:
> 
> 	ssh -l cmenzes ns2.lunarmedia.net "sudo /usr/bin/ndc reload"
> 
> now, if sudo will prompt me for my password, well, i am back to square
> one.
> 
> 
> On Sat, 5 Aug 2000, Steven Pritchard wrote:
> 
> > Charles Menzes said:
> > > is there any way to force a shell script to run as a specific user despite
> > > who actually initiates it?
> > 
> > No.  Setuid shell scripts are inherently insecure, and no modern Unix
> > allows them.  You'll either have to write a wrapper, or use something
> > like sudo.
> > 
> > A wrapper could be something as simple as the following:
> > 
> >     #include <stdio.h>
> >     #include <stdlib.h>
> >     #include <unistd.h>
> > 
> >     /* Make sure this is an absolute path. */
> >     #define SCRIPT "/path/to/script"
> > 
> >     int main(void)
> >     {
> > 	char *safe_envp[]={"SHELL=/bin/sh", "PATH=/bin:/usr/bin", NULL};
> > 
> >         if (execle(SCRIPT, SCRIPT, (char *)NULL, safe_envp)==-1)
> > 	{
> > 	    perror("execle("SCRIPT") failed");
> > 	    exit(EXIT_FAILURE);
> > 	}
> > 
> > 	return 1;
> >     }
> > 
> > Still, keep in mind that this is generally not considered a very safe
> > thing to do, so be careful...
> > 
> > Steve
> > 
> 
> -
> To unsubscribe, send email to majordomo@luci.org with
> "unsubscribe luci-discuss" in the body.
-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.