<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Michael Schwendt wrote:<br>
<blockquote cite="mid20081119102701.5ec9b18a.mschwendt@gmail.com"
type="cite">
<pre wrap="">On Wed, 19 Nov 2008 17:17:40 +0800, <a class="moz-txt-link-abbreviated" href="mailto:edwardspl@ita.org.mo">edwardspl@ita.org.mo</a> wrote:</pre>
<blockquote type="cite">
<pre wrap="">Michael Schwendt wrote:</pre>
<blockquote type="cite">
<pre wrap="">n Tue, 18 Nov 2008 08:36:56 -0800, Gordon Messmer wrote:</pre>
<blockquote type="cite">
<pre wrap="">asswd-wrapper:
#!/bin/sh
# Validate that a username was given as an argument
[ -n "$1" ] || {
        echo "Use: passwd-wrapper <username>" >&2
        exit 64
}
# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
        echo "Can't set the root user's password" >&2
        exit 77
}
# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"</pre>
</blockquote>
<pre wrap="">Don't let users run this via sudo unless you execute tools with
absolute path --> /usr/bin/passwd
</pre>
</blockquote>
<pre wrap="">Hello,
Do you means there is some problem / security with this shell scripts ?
</pre>
</blockquote>
<pre wrap="">It depends on your sudo/sudoers configuration. You can read more about it
in the manuals. Look out for setenv, env_, SECURE_PATH (and related
settings).
</pre>
</blockquote>
Just the following rules :<br>
SYSADM MH = (ALL) /usr/bin/passwd-wrapper
<blockquote cite="mid20081119102701.5ec9b18a.mschwendt@gmail.com"
type="cite">
<blockquote type="cite"><>BUT, only some of special user who can
running some of cmd via sudo...<br>
eg: System Admin ( manager ) and Support Term...<br>
</></blockquote>
</blockquote>
<br>
<blockquote cite="mid20081119102701.5ec9b18a.mschwendt@gmail.com"
type="cite">
<blockquote type="cite"><>It's general advise not to open an attack
vector via $PATH when trying to<br>
impose restrictions on what those special users may run. Today your sudo<br>
configuration may not permit that, but you wouldn't be the first one to<br>
switch from sudo to setuid or to alter your sudo config in harmful ways.</></blockquote>
</blockquote>
I think the system admin config the sudo only for some special user (
eg: system support term ) for the Server Maintance...<br>
So, NOT many user he/she can running with sudo, right ?<br>
<br>
Thanks !<br>
<br>
Edward.<br>
</body>
</html>