| 1 |
Couldn't you just do: |
| 2 |
sudo su - emerge -c '/usr/bin/emerge' |
| 3 |
and then set up sudoers to only allow that command? |
| 4 |
|
| 5 |
On Thu, 2004-07-29 at 10:49, Bart Alewijnse wrote: |
| 6 |
> Errm. I was referring to the *user* 'emerge' - I wasn't aware you can |
| 7 |
> use su to execute binaries. sudo, yes, but su? 'sudo su emerge' would |
| 8 |
> cause sudo to run su with the command line parameter 'emerge' which |
| 9 |
> can only be a username - rather than hand sudo two executable names, |
| 10 |
> right? |
| 11 |
> But if you're paranoid, you could likely require the path to emerge in |
| 12 |
> sudoers, so that it'd have to be |
| 13 |
> 'sudo su /usr/bin/emerge' - or possibly just that it'd only accept |
| 14 |
> running emerge if the actual emerge binary being suggested for running |
| 15 |
> is the one in /usr/bin. Since you don't have direct accidental access |
| 16 |
> to that as either considered user, it's not a risk. |
| 17 |
> |
| 18 |
> Again with the calling me undercaffeinated if I'm missing something. |
| 19 |
> |
| 20 |
> But as to the being bad, I don't see how it's not an entirely moot point. |
| 21 |
> |
| 22 |
> You give them root access one way or the other, be it directly, or |
| 23 |
> indirectly quite simply because you allow them full access to the |
| 24 |
> filesystem through emerge - you have to, or emerge wouldn't work. If |
| 25 |
> they wanted to be bad, they could do what they wanted anyhow - say, |
| 26 |
> make a portage package that'd have the added featuer of also mailing |
| 27 |
> them the password shadow file. |
| 28 |
> |
| 29 |
> If this needs to work, and cleanly, it needs to be authentication |
| 30 |
> within emerge, as far as I can see. |
| 31 |
> |
| 32 |
> --Bart Alewijnse |
| 33 |
> |
| 34 |
> -- |
| 35 |
> gentoo-security@g.o mailing list |
| 36 |
-- |
| 37 |
Matthew Baxa <mbaxa@×××××××.edu> |
| 38 |
Applications Services Administrator |
| 39 |
K-State University Office of Mediated Education |
| 40 |
http://www.dce.ksu.edu |
| 41 |
|
| 42 |
Public key ID: 982330F8 |
| 43 |
Public key available at: www.keyserver.net |
Archives