On Wed, 19 Nov 2008 17:17:40 +0800, edwardspl@xxxxxxxxxx wrote: > Michael Schwendt wrote: > > >On Tue, 18 Nov 2008 08:36:56 -0800, Gordon Messmer wrote: > > > > > > > >>passwd-wrapper: > >>#!/bin/sh > >> > >># Validate that a username was given as an argument > >>[ -n "$1" ] || { > >> echo "Use: passwd-wrapper <username>" >&2 > >> exit 64 > >>} > >> > >># Validate that the username wasn't "root" > >>[ "$1" != "root" ] || { > >> echo "Can't set the root user's password" >&2 > >> exit 77 > >>} > >> > >># Use -- to make sure that the "username" given wasn't just > >># a switch that passwd would interpret. > >># THIS ONLY WORKS ON GNU SYSTEMS. > >>passwd -- "$1" > >> > >> > > > >Don't let users run this via sudo unless you execute tools with > >absolute path --> /usr/bin/passwd > > > > > > > Hello, > > Do you means there is some problem / security with this shell scripts ? It depends on your sudo/sudoers configuration. You can read more about it in the manuals. Look out for setenv, env_, SECURE_PATH (and related settings). > BUT, only some of special user who can running some of cmd via sudo... > eg: System Admin ( manager ) and Support Term... It's general advise not to open an attack vector via $PATH when trying to impose restrictions on what those special users may run. Today your sudo configuration may not permit that, but you wouldn't be the first one to switch from sudo to setuid or to alter your sudo config in harmful ways. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines