Jack Dodds <brmdamon@xxxxxxxxx> writes: <snip> > Problem is, the user has to enter realplay's password every time gksu > is run. This is a nuisance and also would compromise realplay's > password if it had to be given to many users. > > I have tried to run gksu from a script in which I send realplay's > password from a file to sysin, but gksu doesn't like that - I get a > message something like "Must be run from a terminal". If I could run > gksu from a script like this I could eliminate entry of the password. > I could also create a Mozilla "helper application" to play specific > MIME types using RealPlayer running under its separate user id. > > The obvious solution is to run the RealPlayer binary as user realplay > using the suid permission - but GTK+ does not honour the suid bit > because that is deemed to be a security risk. See > http://www.gtk.org/setuid.html . > I think you're looking at a prime example for using 'sudo'. Add the following to your /etc/sudoers: Cmd_Alias REALPLAY = /usr/bin/realplay ALL ALL = NOPASSWD: REALPLAY Executing 'sudo -u realplay /usr/bin/realplay' will now execute Realplayer as user realplay, just as if it had been setuid realplay. The nice thing is that some tweaking of the sudoers file could set restrictions even tighter. For example, if you want to restrict execution to members of the realplay group, your /etc/sudoers would look like this: Group_Alias ALLOW_REALPLAY = %realplay Cmd_Alias REALPLAY = /usr/bin/realplay ALLOW_REALPLAY ALL = NOPASSWD: REALPLAY The manpage for /etc/sudoers is a bit dry, but read it, because it sounds just like what you need. Make sure the realplay binary is executable owner-only (chmod 700), otherwise your users could just launch it from a terminal, having it run with their full permissions again. Mart -- "We will need a longer wall when the revolution comes." --- AJS, quoting an uncertain source. _______________________________________________ gnome-list mailing list gnome-list@xxxxxxxxx http://mail.gnome.org/mailman/listinfo/gnome-list
