Michael Schwendt wrote:
On Wed, 19 Nov 2008 17:17:40 +0800, edwardspl@xxxxxxxxxx wrote:
Michael Schwendt wrote:
n Tue, 18 Nov 2008 08:36:56 -0800, Gordon Messmer wrote:
asswd-wrapper:
#!/bin/sh
# Validate that a username was given as an argument
[ -n "$1" ] || {
echo "Use: passwd-wrapper <username>" >&2
exit 64
}
# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
echo "Can't set the root user's password" >&2
exit 77
}
# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"
Don't let users run this via sudo unless you execute tools with
absolute path --> /usr/bin/passwd
Hello,
Do you means there is some problem / security with this shell scripts ?
It depends on your sudo/sudoers configuration. You can read more about it
in the manuals. Look out for setenv, env_, SECURE_PATH (and related
settings).
Just the following rules :
SYSADM MH = (ALL) /usr/bin/passwd-wrapper
<>BUT, only some of special user who can
running some of cmd via sudo...
eg: System Admin ( manager ) and Support Term...
<>It's general advise not to open an attack
vector via $PATH when trying to
impose restrictions on what those special users may run. Today your sudo
configuration may not permit that, but you wouldn't be the first one to
switch from sudo to setuid or to alter your sudo config in harmful ways.
I think the system admin config the sudo only for some special user (
eg: system support term ) for the Server Maintance...
So, NOT many user he/she can running with sudo, right ?
Thanks !
Edward.
|
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
