topic Re: sudo config question in Operating System - HP-UX

sudo config question

bob folsom — Mon, 13 Oct 2003 09:01:17 GMT

Can sudo be configured to check ownership/permissions of /usr/local/bin/myscript before allowing a user to execute it?

Re: sudo config question

Mark Grant — Mon, 13 Oct 2003 09:04:59 GMT

I don't think this is an option with sudo.

However, you could write a wrapper script that gets run from sudo and checks the permissions itself

Re: sudo config question

James Specht — Mon, 13 Oct 2003 13:12:47 GMT

sudo allows you to run a script as a specified user. So in theory yes. You could setup a user, (usera) that is the only user allowed to run /usr/local/bin/myscript. Then through sudo give userb and userc the ability to run myscript as usera. Userb and userc would not be able to run the script as themselves but only through sudo.

Does that answer your question?

--Jim

Re: sudo config question

bob folsom — Mon, 13 Oct 2003 13:44:45 GMT

Jim - thanks for the answer, but it does not help my current problem. I have an in-house script that needs to run as root, and as added security, I want sudo to be able to chekc that this file is root owned, with the correct perms.

Re: sudo config question

James Specht — Mon, 13 Oct 2003 14:06:18 GMT

You could have the script check the mode and ownership of itself before continuing. Something like this would check for root as the owner and a file permission of -rwx------. Place these two lines after your #!/usr/bin/sh and the script will check itself.

[ "$(ls -l /usr/local/bin/myscript|tr -s ' '|cut -d ' ' -f1)" != "-rwx------" ] && exit
[ "$(ls -l /usr/local/bin/myscript|tr -s ' '|cut -d ' ' -f3)" != "root" ] && exit

If you are actually worried about users changing the scripts in /usr/local/bin change the sticky bit on the directory so only the owner can change the files within. chmod +t /user/local/bin I believe is correct syntax.

--Jim

Re: sudo config question

bob folsom — Mon, 13 Oct 2003 14:36:39 GMT

Jim - I was hoping to avoid having to do this, but that is a path that would work (the script is not acutally in /usr/local/bin, but in a user owned dir, and I do not want to have to modify thier code, but will of I have to).

Re: sudo config question

Mark Grant — Mon, 13 Oct 2003 14:54:33 GMT

bob,

You don't have to modify their code. Just get "sudo" to run a script that checks the permissions and decide wether to allow the real program to run or not.

Checking permission by the output of "ls -l" is annoying so I am attaching a little c program for you that can output the permission of the file as a number or as the rwxrwxrwx format. It can tell you loads of other stuff too if you want. You can put this in your checking script.

compile the program with "cc -s -o mgstat mgstat.c" and run it as "mgstat -p octal filename" for the permision number or "mgstat -p string filename" for the string output. The program must have an argument or it segfaults which I can't fix right now as I don't have a compiler.