HPE Community
Operating System - HP-UX
1834532 Members
3192 Online
110069 Solutions
New Discussion

sudo config question

 
bob folsom
New Member

‎10-13-2003 02:01 AM

‎10-13-2003 02:01 AM

sudo config question

Can sudo be configured to check ownership/permissions of /usr/local/bin/myscript before allowing a user to execute it?
0 Kudos
Reply
6 REPLIES 6
Mark Grant
Honored Contributor

‎10-13-2003 02:04 AM

‎10-13-2003 02:04 AM

Re: sudo config question

I don't think this is an option with sudo.

However, you could write a wrapper script that gets run from sudo and checks the permissions itself
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
James Specht
Trusted Contributor

‎10-13-2003 06:12 AM

‎10-13-2003 06:12 AM

Re: sudo config question

sudo allows you to run a script as a specified user. So in theory yes. You could setup a user, (usera) that is the only user allowed to run /usr/local/bin/myscript. Then through sudo give userb and userc the ability to run myscript as usera. Userb and userc would not be able to run the script as themselves but only through sudo.

Does that answer your question?

--Jim
"Everyone can be taught to sculpt: Michelangelo would have had to be taught how not to. So it is with the great programmers."
0 Kudos
Reply
bob folsom
New Member

‎10-13-2003 06:44 AM

‎10-13-2003 06:44 AM

Re: sudo config question

Jim - thanks for the answer, but it does not help my current problem. I have an in-house script that needs to run as root, and as added security, I want sudo to be able to chekc that this file is root owned, with the correct perms.
0 Kudos
Reply
James Specht
Trusted Contributor

‎10-13-2003 07:06 AM

‎10-13-2003 07:06 AM

Re: sudo config question

You could have the script check the mode and ownership of itself before continuing. Something like this would check for root as the owner and a file permission of -rwx------. Place these two lines after your #!/usr/bin/sh and the script will check itself.

[ "$(ls -l /usr/local/bin/myscript|tr -s ' '|cut -d ' ' -f1)" != "-rwx------" ] && exit
[ "$(ls -l /usr/local/bin/myscript|tr -s ' '|cut -d ' ' -f3)" != "root" ] && exit

If you are actually worried about users changing the scripts in /usr/local/bin change the sticky bit on the directory so only the owner can change the files within. chmod +t /user/local/bin I believe is correct syntax.

--Jim
"Everyone can be taught to sculpt: Michelangelo would have had to be taught how not to. So it is with the great programmers."
0 Kudos
Reply
bob folsom
New Member

‎10-13-2003 07:36 AM

‎10-13-2003 07:36 AM

Re: sudo config question

Jim - I was hoping to avoid having to do this, but that is a path that would work (the script is not acutally in /usr/local/bin, but in a user owned dir, and I do not want to have to modify thier code, but will of I have to).
0 Kudos
Reply
Mark Grant
Honored Contributor

‎10-13-2003 07:54 AM

‎10-13-2003 07:54 AM

Re: sudo config question

bob,

You don't have to modify their code. Just get "sudo" to run a script that checks the permissions and decide wether to allow the real program to run or not.

Checking permission by the output of "ls -l" is annoying so I am attaching a little c program for you that can output the permission of the file as a number or as the rwxrwxrwx format. It can tell you loads of other stuff too if you want. You can put this in your checking script.

compile the program with "cc -s -o mgstat mgstat.c" and run it as "mgstat -p octal filename" for the permision number or "mgstat -p string filename" for the string output. The program must have an argument or it segfaults which I can't fix right now as I don't have a compiler.
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.