RE: sudo examples

Mazda Motor Logistics Europe NV, Blaasveldstraat 162, B-2830 Willebroek
VAT BE 0406.024.281, RPR Mechelen, ING 310-0092504-52, IBAN : BE64 3100 0925 0452, SWIFT : BBRUBEBB

-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
bounces@xxxxxxxxxx] On Behalf Of frank cui
Sent: donderdag 27 oktober 2011 2:21
To: General Red Hat Linux discussion list
Subject: Re: sudo examples

On Wed, Oct 26, 2011 at 8:31 PM, Steven Barre <
steven@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:


I understand how to configure sudo, but I don't get how to get real-world
use from it. Is it best to write custom scripts for the things that need
doing and give sudo access to those scripts?

Allowing the execution of shell scripts via sudo adds potential security issues. If the script can be modified or the behavior of the executing shell can be changed the user may gain more rights. See e.g. (first hit in google, there will be other examples)

So scripts are probably not the recommended approach.

Most of what I do as root is done because of file permissions. For example,
if I want a user to have access to a conf file but don't want to change the
file permissions of the conf file, how can I do this with sudo?

I'm not sure about the solution using sudo, but definitely you could setup
an ACL for the file for more granular control over it.

ACL's may indeed be a better solution to this approach because allowing a user to execute e.g. vi as root effectively grants complete access due to the possibility to use shell escapes in vi.
This can partly be addressed by using restricted vi but I haven't investigated that option further so I can't comment on that.

Do you have any examples of how you use sudo to allow users to do some
basic tasks?

The sudo list, as you may know, can allow users to do specific categories of
tasks instead of authorizing all the root commands to them. For example, you
can delegate the abilities to restart a network service to a specific user.

This is also our primary use case, off course init scripts are shell scripts too.



redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe

Relevant Pages

  • Re: unexpected script output
    ... Give sudo a try. ... I pretty much only ever suspend to ... reasonable to do it using a combination of the /etc/acpi scripts to ... Is there is a real difference between runlevels and ...
  • Re: Having Tcl script accessing files as a specific user
    ... This is a classic problem for sudo to solve. ... delegate restricted root-level rights to non-root users. ... This is not an issue of having scripts run on another folder, ...
  • Re: [Full-disclosure] DLL hijacking on Linux
    ... thing in scripts that may be run via sudo/su when auditing hosts. ... that can control dynamic linking from the environment of setuid executables, ... including sudo. ...
  • Re: Cron to email notification of ftp file upload?
    ... or traceroute and getting "command not found" messages and then trying to ... >use sudo command when you need to make root privileged changes, ie, ... [ohmster@ohmster scripts]$ sudo crontab -l ... $ cat ftpwatch ...
  • Re: Creating a new Enviroment Variable
    ... >>the ability to run various things with or without passwords. ... > The passwords I'm looking to stop hardcoding into scripts are for the ... Use sudo (or group permissions) to control the ability to ...