[PLUG] make sudo act like "su - foo ..."
Matt Rae
mattrae at gmail.com
Wed Feb 6 20:18:09 UTC 2008
Eric, I *think* sudo -H is all you'll need to make sudo -u similar to su -.
As for the arguments, the thing that always screws me up is that
wildcards aren't regular expressions, they use fnmatch which doesn't
seem to be the best for matching arguments. Or maybe I just don't use
it right.
Matt
On Feb 6, 2008 11:48 AM, Eric Wilhelm <scratchcomputing at gmail.com> wrote:
> Update: I mostly answered my question while writing this, so I'm mostly
> posting it as a matter of interest and in case someone has suggestions.
>
> I'm trying to find a compact but secure way to configure sudo to allow
> running a command as a specific non-root user.
>
> I might be missing something, but "sudo -u foo command" doesn't get me
> the same results as "su - foo command". Is -H all I need?
>
> The idea is that anybody in the 'stowpan' group can run the cpan shell
> as the 'stowpan' user, but they can also pass arguments.
>
> %stowpan ALL=NOPASSWD: /bin/su - stowpan /usr/local/bin/cpan,
> /bin/su - stowpan /usr/local/bin/cpan *
>
> That does what I want, but it is awfully wordy. (the first command spec
> to allow zero arguments to `cpan`, and the second to allow one or more
> arguments.)
>
> The following has the right permissiveness, but means one could also run
> a 'cpanfoo' or 'cpanbar' program:
>
> %stowpan ALL=NOPASSWD: /bin/su - stowpan /usr/local/bin/cpan*
>
> So, the '*' wildcard has to be part of an argument -- it can't stand
> for 'zero or more additional arguments allowed here'.
>
> Of course, this much lockdown (in this particular case) is moot because
> cpan has a 'look' function that will get you a bash shell, so the
> security really stops at:
>
> %stowpan ALL=NOPASSWD: /bin/su - stowpan
>
> But again the implies-some-number-of-arguments sense of '*' comes into
> play. I have to write it as:
>
> %stowpan ALL=NOPASSWD: /bin/su - stowpan, /bin/su - stowpan *
>
> So, what's the equivalent to 'su - user ...' via 'sudo -u user ...'?
>
> %stowpan ALL=(stowpan) NOPASSWD: /usr/local/bin/cpan,/bin/bash
>
> That seems to work when invoked as:
>
> sudo -H -u stowpan cpan
> sudo -H -u stowpan bash -l
>
> Does that sound right? Suggestions?
>
> The '-i' switch seems to get more of an 'su -' sort of behavior, but
> skews the interface a bit:
>
> sudo -i -u stowpan bash
> /bin/bash: /bin/bash: cannot execute binary file
>
> Whereas 'sudo -i -u stowpan' gives me a shell (and 'sudo -i -u stowpan
> cpan' requires that I have bash in the allowed commands.)
>
> --Eric
> --
> "Left to themselves, things tend to go from bad to worse."
> --Murphy's Corollary
> ---------------------------------------------------
> http://scratchcomputing.com
> ---------------------------------------------------
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list