Re: Change root> normal user?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

James Wilkinson wrote:

Todd Zullinger wrote:

If you use sudo, you don't have to give the user the root password,
you just edit the /etc/sudoers file to allow them to run the
particular command(s) you want and they enter their own password to
run them.


Note: depending on what the program is, this may be equivalent to giving
users the root password. In particular, if there is any way to "shell
out" from the program, or run an external editor, then the user can end
up with a root shell.

I'm also concerned about the man-page paragraph:
       To prevent command spoofing, sudo checks "." and "" (both
       denoting current directory) last when searching for a command in
       the user’s PATH (if one or both are in the PATH).  Note, however,
       that the actual PATH environment variable is not modified and is
       passed unchanged to the program that sudo executes.

I read this as saying that *if* a program runs another program merely by
name (e.g. "hostname" rather than "/bin/hostname"), then a malicious
user could place a symlink to bash from ./hostname, change the PATH
appropriately, and sudo the first program.

In general, simple text-mode programs are OK, complex graphical ones may
well have holes.

James.

In the case in question the user tunes pianos and keeps about 5000
customer names and related information in this computer standing in a corner 
of his home office where no one other than himself gets near it! Security
is not a consideration here. He has been using a DOS program for years which I suspect offers little security if any but which has been crippled since year 2000 arrived. I have moved his accounts into mysql which took considerable effort on my part. Now all I want is to create a user situation where he is unlikely to damage the 
system inadvertently.
I am working at it but I keep running into glitches where stuff works in a terminal window as user but won't wok with the scripts I created to enable him to start things from xfce task bar icons. But like everything else I do I will eventually muddle through.
I find the stuff received on this mailing list both interesting and invaluable. 

Thank you all.

Bob Goodwin Zuni, Virginia

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux