Re: /sys/power/state question with sudoers!

18/08/2007, 22h00

cat sudo_file
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#Defaults env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification

root ALL=(ALL) ALL

xxxx xxxx=NOPASSWD: /bin/echo, /sbin/*, /sys/power/state

note xxxx is used to protect the user.
-----------------------------------------------------------------------------------------------------

Here is the script I am trying to setup.
#!/bin/bash

#This is a shell script for hibernation.

sudo echo disk >/sys/power/state

Gnu_Raiz

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

19/08/2007, 00h10

On Sat, Aug 18, 2007 at 03:35:05PM -0500, Gnu_Raiz wrote:
> cat sudo_file
> # /etc/sudoers
> #
> # This file MUST be edited with the 'visudo' command as root.
> #
> # See the man page for details on how to write a sudoers file.
> #Defaults env_reset
>
> # Host alias specification
>
> # User alias specification
>
> # Cmnd alias specification
>
> # User privilege specification
>
> root ALL=(ALL) ALL
>
> xxxx xxxx=NOPASSWD: /bin/echo, /sbin/*, /sys/power/state
^^^^ ^^^^^^^^^^^^^^^^
I assume this is your hostname. |
|
As I understand it, sudo provides access to commands, not files.

> Here is the script I am trying to setup.
> #!/bin/bash
>
> #This is a shell script for hibernation.
>
> sudo echo disk >/sys/power/state
^^^^
It should work like this, but maybe you should try replacing it with
'/usr/bin/echo'

HTH,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD4DBQFGx3oAqJyztHCFm9kRAjzjAJ0ajtDK6ihZZSkX3jDytK IxuPNn8QCXVCyf
L73KU2F5cTyzX1OeyI50HQ==
=qf6z
-----END PGP SIGNATURE-----

19/08/2007, 10h10

Le Sunday 19 August 2007 01:00:16 Andrei Popescu, vous avez écrit:
> On Sat, Aug 18, 2007 at 03:35:05PM -0500, Gnu_Raiz wrote:
> > cat sudo_file
> > # /etc/sudoers
> > #
> > # This file MUST be edited with the 'visudo' command as root.
> > #
> > # See the man page for details on how to write a sudoers file.
> > #Defaults env_reset
> >
> > # Host alias specification
> >
> > # User alias specification
> >
> > # Cmnd alias specification
> >
> > # User privilege specification
> >
> > root ALL=(ALL) ALL
> >
> > xxxx xxxx=NOPASSWD: /bin/echo, /sbin/*, /sys/power/state
>
> ^^^^ ^^^^^^^^^^^^^^^^
> I assume this is your hostname. |
>
> As I understand it, sudo provides access to commands, not files.
>
> > Here is the script I am trying to setup.
> > #!/bin/bash
> >
> > #This is a shell script for hibernation.
> >
> > sudo echo disk >/sys/power/state
>
> ^^^^
> It should work like this, but maybe you should try replacing it with
> '/usr/bin/echo'
>
> HTH,
> Andrei

The redirection ">" is not taken by sudo.

For this only reason, I sometime must log as root. Try "sudo -s" then "echo
disk >/sys/power/state" and then exit.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBGyAilDltnDmLJYdARAtiAAJ9XPoUd4ED9tPtDNNfPeu DgBb4FLQCdEBmB
/X0VFkjadFi4TZDs49rbPAo=
=gQqF
-----END PGP SIGNATURE-----

19/08/2007, 10h40

Le Sunday 19 August 2007 11:08:42 Gilles Mocellin, vous avez Ã©critÂ:
> Le Sunday 19 August 2007 01:00:16 Andrei Popescu, vous avez Ã©critÂ:
> > On Sat, Aug 18, 2007 at 03:35:05PM -0500, Gnu_Raiz wrote:
> > > cat sudo_file
> > > # /etc/sudoers
> > > #
> > > # This file MUST be edited with the 'visudo' command as root.
> > > #
> > > # See the man page for details on how to write a sudoers file.
> > > #Defaults env_reset
> > >
> > > # Host alias specification
> > >
> > > # User alias specification
> > >
> > > # Cmnd alias specification
> > >
> > > # User privilege specification
> > >
> > > root ALL=(ALL) ALL
> > >
> > > xxxx xxxx=NOPASSWD: /bin/echo, /sbin/*, /sys/power/state
> >
> > ^^^^ ^^^^^^^^^^^^^^^^
> > I assume this is your hostname. |
> >
> > As I understand it, sudo provides access to commands, not files.
> >
> > > Here is the script I am trying to setup.
> > > #!/bin/bash
> > >
> > > #This is a shell script for hibernation.
> > >
> > > sudo echo disk >/sys/power/state
> >
> > ^^^^
> > It should work like this, but maybe you should try replacing it with
> > '/usr/bin/echo'
> >
> > HTH,
> > Andrei
>
> The redirection ">" is not taken by sudo.
>
> For this only reason, I sometime must log as root. Try "sudo -s" then "echo
> disk >/sys/power/state" and then exit.

I've just read the manpage of sudo, and here's what it says :

To make a usage listing of the directories in the /home partition. Note that
this runs the commands in a sub-shell to make the cd and file redirection
work.

$ sudo sh -c "cd /home ; du -s * â”‚ sort -rn > USAGE"

So, you can do it in on command, sudo is lauching a shell, which is
responsible of redirections, pipes, chaining commands...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBGyA8DDltnDmLJYdARAvT5AJ4not9EViu+OwJwJthce0 d4NENZ0gCfTKg/
FrOEMD/+hQZj78q1iJ5Ikhk=
=FnDT
-----END PGP SIGNATURE-----

19/08/2007, 10h40

Le Sunday 19 August 2007 11:08:42 Gilles Mocellin, vous avez Ã©critÂ:
> Le Sunday 19 August 2007 01:00:16 Andrei Popescu, vous avez Ã©critÂ:
> > On Sat, Aug 18, 2007 at 03:35:05PM -0500, Gnu_Raiz wrote:
> > > cat sudo_file
> > > # /etc/sudoers
> > > #
> > > # This file MUST be edited with the 'visudo' command as root.
> > > #
> > > # See the man page for details on how to write a sudoers file.
> > > #Defaults env_reset
> > >
> > > # Host alias specification
> > >
> > > # User alias specification
> > >
> > > # Cmnd alias specification
> > >
> > > # User privilege specification
> > >
> > > root ALL=(ALL) ALL
> > >
> > > xxxx xxxx=NOPASSWD: /bin/echo, /sbin/*, /sys/power/state
> >
> > ^^^^ ^^^^^^^^^^^^^^^^
> > I assume this is your hostname. |
> >
> > As I understand it, sudo provides access to commands, not files.
> >
> > > Here is the script I am trying to setup.
> > > #!/bin/bash
> > >
> > > #This is a shell script for hibernation.
> > >
> > > sudo echo disk >/sys/power/state
> >
> > ^^^^
> > It should work like this, but maybe you should try replacing it with
> > '/usr/bin/echo'
> >
> > HTH,
> > Andrei
>
> The redirection ">" is not taken by sudo.
>
> For this only reason, I sometime must log as root. Try "sudo -s" then "echo
> disk >/sys/power/state" and then exit.

I've just read the manpage of sudo, and here's what it says :

To make a usage listing of the directories in the /home partition. Note that
this runs the commands in a sub-shell to make the cd and file redirection
work.

$ sudo sh -c "cd /home ; du -s * â”‚ sort -rn > USAGE"

So, you can do it in on command, sudo is lauching a shell, which is
responsible of redirections, pipes, chaining commands...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBGyA8DDltnDmLJYdARAvT5AJ4not9EViu+OwJwJthce0 d4NENZ0gCfTKg/
FrOEMD/+hQZj78q1iJ5Ikhk=
=FnDT
-----END PGP SIGNATURE-----

19/08/2007, 12h00

On Sun, Aug 19, 2007 at 11:36:03AM +0200, Gilles Mocellin wrote:

> I've just read the manpage of sudo, and here's what it says :
>
> To make a usage listing of the directories in the /home partition. Note that
> this runs the commands in a sub-shell to make the cd and file redirection
> work.
>
> $ sudo sh -c "cd /home ; du -s * â”‚ sort -rn > USAGE"
>
> So, you can do it in on command, sudo is lauching a shell, which is
> responsible of redirections, pipes, chaining commands...

Please correct me if I'm wrong, but this defeats the purpose of
restricting sudo to a certain set of commands.

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGyCJCqJyztHCFm9kRAkq7AJ9H98L38JHzYaE2G2qq+X TSd+LuoQCeMITM
5W2/ZoOsm1qYszgDCHTIYYg=
=bIBD
-----END PGP SIGNATURE-----

19/08/2007, 15h00

On Sun, Aug 19, 2007 at 01:58:10PM +0300, Andrei Popescu wrote:
> On Sun, Aug 19, 2007 at 11:36:03AM +0200, Gilles Mocellin wrote:
>
> > I've just read the manpage of sudo, and here's what it says :
> >
> > To make a usage listing of the directories in the /home partition. Note that
> > this runs the commands in a sub-shell to make the cd and file redirection
> > work.
> >
> > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE"
> >
> > So, you can do it in on command, sudo is lauching a shell, which is
> > responsible of redirections, pipes, chaining commands...
>
> Please correct me if I'm wrong, but this defeats the purpose of
> restricting sudo to a certain set of commands.
>

You could put the command in a script, owned by root, executable by root
only, then tell sudo to let you run that command. This should then log
that command being run.

Doug.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

19/08/2007, 16h10

On Sun, Aug 19, 2007 at 01:58:10PM +0300, Andrei Popescu wrote:
> On Sun, Aug 19, 2007 at 11:36:03AM +0200, Gilles Mocellin wrote:
>
> > I've just read the manpage of sudo, and here's what it says :
> >
> > To make a usage listing of the directories in the /home partition. Note that
> > this runs the commands in a sub-shell to make the cd and file redirection
> > work.
> >
> > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE"
> >
> > So, you can do it in on command, sudo is lauching a shell, which is
> > responsible of redirections, pipes, chaining commands...
>
> Please correct me if I'm wrong, but this defeats the purpose of
> restricting sudo to a certain set of commands.

The command here is 'sh', so this could be restricted as usual.

Ken

--
Ken Irving, fnkci+debianuser@uaf.edu

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

19/08/2007, 16h10

On Sun, Aug 19, 2007 at 01:58:10PM +0300, Andrei Popescu wrote:
> On Sun, Aug 19, 2007 at 11:36:03AM +0200, Gilles Mocellin wrote:
>
> > I've just read the manpage of sudo, and here's what it says :
> >
> > To make a usage listing of the directories in the /home partition. Note that
> > this runs the commands in a sub-shell to make the cd and file redirection
> > work.
> >
> > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE"
> >
> > So, you can do it in on command, sudo is lauching a shell, which is
> > responsible of redirections, pipes, chaining commands...
>
> Please correct me if I'm wrong, but this defeats the purpose of
> restricting sudo to a certain set of commands.

The command here is 'sh', so this could be restricted as usual.

Ken

--
Ken Irving, fnkci+debianuser@uaf.edu

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

19/08/2007, 18h00

On Sun, Aug 19, 2007 at 07:09:29AM -0800, Ken Irving wrote:

> > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE"
> > >
> > > So, you can do it in on command, sudo is lauching a shell, which is
> > > responsible of redirections, pipes, chaining commands...
> >
> > Please correct me if I'm wrong, but this defeats the purpose of
> > restricting sudo to a certain set of commands.
>
> The command here is 'sh', so this could be restricted as usual.

Of course you could, but if you're able to run sh what prevents you from
using it to run anything else?

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGyHYnqJyztHCFm9kRAs/TAJ9o2cWQZHFZwmfZYetM9oD7w41i3gCeJouG
Opy7iPvoGCbF348MyNxrEQk=
=tO1n
-----END PGP SIGNATURE-----

19/08/2007, 19h00

On Sun, Aug 19, 2007 at 07:56:07PM +0300, Andrei Popescu wrote:
> On Sun, Aug 19, 2007 at 07:09:29AM -0800, Ken Irving wrote:
>
> > > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE"
> > > >
> > > > So, you can do it in on command, sudo is lauching a shell, which is
> > > > responsible of redirections, pipes, chaining commands...
> > >
> > > Please correct me if I'm wrong, but this defeats the purpose of
> > > restricting sudo to a certain set of commands.
> >
> > The command here is 'sh', so this could be restricted as usual.
>
> Of course you could, but if you're able to run sh what prevents you from
> using it to run anything else?

I'm probably misunderstanding something (not sure what the OP's question
was), but my point was just that you can prevent someone from running
sh in the first place -- i.e., they wouldn't be able to do the above
operation.

Any command/program that is allowed to be run under sudo could be misused
if it allows the user to run a shell from within that program.

I don't have much experience with using sudo to *carefully* grant
privileges to untrusted users, but I would think one could put something
like the above in a script which the user is allowed to run (as I think
someone else may have suggested).

Ken

--
Ken Irving, fnkci+debianuser@uaf.edu

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

19/08/2007, 21h50

On Sun, Aug 19, 2007 at 09:53:20AM -0800, Ken Irving wrote:
> On Sun, Aug 19, 2007 at 07:56:07PM +0300, Andrei Popescu wrote:
> > On Sun, Aug 19, 2007 at 07:09:29AM -0800, Ken Irving wrote:
> >
> > > > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE"
> > > > >
> > > > > So, you can do it in on command, sudo is lauching a shell, which is
> > > > > responsible of redirections, pipes, chaining commands...
> > > >
> > > > Please correct me if I'm wrong, but this defeats the purpose of
> > > > restricting sudo to a certain set of commands.
> > >
> > > The command here is 'sh', so this could be restricted as usual.
> >
> > Of course you could, but if you're able to run sh what prevents you from
> > using it to run anything else?
>
> I'm probably misunderstanding something (not sure what the OP's question
> was), but my point was just that you can prevent someone from running
> sh in the first place -- i.e., they wouldn't be able to do the above
> operation.

Probably I misunderstood what you meant. The OP was asking for a method
to use sudo to allow only certain operations.

> Any command/program that is allowed to be run under sudo could be misused
> if it allows the user to run a shell from within that program.

Yep

> I don't have much experience with using sudo to *carefully* grant
> privileges to untrusted users, but I would think one could put something
> like the above in a script which the user is allowed to run (as I think
> someone else may have suggested).

Yes, that should work, and seems to me like the best way to achieve the
desired result.

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGyKsDqJyztHCFm9kRAoGYAJ9OJj6sxMQAPU4E9Qr7aL 6jjHzuVQCfSdFA
zKTc/ZGDqbghznGFpKPNHdo=
=0QYS
-----END PGP SIGNATURE-----

18/08/2007, 22h00	#1
Gnu_Raiz Messages: n/a Hébergeur:	Re: /sys/power/state question with sudoers! cat sudo_file # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. #Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL xxxx xxxx=NOPASSWD: /bin/echo, /sbin/*, /sys/power/state note xxxx is used to protect the user. ----------------------------------------------------------------------------------------------------- Here is the script I am trying to setup. #!/bin/bash #This is a shell script for hibernation. sudo echo disk >/sys/power/state Gnu_Raiz -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

19/08/2007, 00h10	#2
Andrei Popescu Messages: n/a Hébergeur:	Re: /sys/power/state question with sudoers! On Sat, Aug 18, 2007 at 03:35:05PM -0500, Gnu_Raiz wrote: > cat sudo_file > # /etc/sudoers > # > # This file MUST be edited with the 'visudo' command as root. > # > # See the man page for details on how to write a sudoers file. > #Defaults env_reset > > # Host alias specification > > # User alias specification > > # Cmnd alias specification > > # User privilege specification > > root ALL=(ALL) ALL > > xxxx xxxx=NOPASSWD: /bin/echo, /sbin/*, /sys/power/state ^^^^ ^^^^^^^^^^^^^^^^ I assume this is your hostname. \| \| As I understand it, sudo provides access to commands, not files. > Here is the script I am trying to setup. > #!/bin/bash > > #This is a shell script for hibernation. > > sudo echo disk >/sys/power/state ^^^^ It should work like this, but maybe you should try replacing it with '/usr/bin/echo' HTH, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD4DBQFGx3oAqJyztHCFm9kRAjzjAJ0ajtDK6ihZZSkX3jDytK IxuPNn8QCXVCyf L73KU2F5cTyzX1OeyI50HQ== =qf6z -----END PGP SIGNATURE-----

19/08/2007, 10h10	#3
Gilles Mocellin Messages: n/a Hébergeur:	Re: /sys/power/state question with sudoers! Le Sunday 19 August 2007 01:00:16 Andrei Popescu, vous avez écrit: > On Sat, Aug 18, 2007 at 03:35:05PM -0500, Gnu_Raiz wrote: > > cat sudo_file > > # /etc/sudoers > > # > > # This file MUST be edited with the 'visudo' command as root. > > # > > # See the man page for details on how to write a sudoers file. > > #Defaults env_reset > > > > # Host alias specification > > > > # User alias specification > > > > # Cmnd alias specification > > > > # User privilege specification > > > > root ALL=(ALL) ALL > > > > xxxx xxxx=NOPASSWD: /bin/echo, /sbin/*, /sys/power/state > > ^^^^ ^^^^^^^^^^^^^^^^ > I assume this is your hostname. \| > > As I understand it, sudo provides access to commands, not files. > > > Here is the script I am trying to setup. > > #!/bin/bash > > > > #This is a shell script for hibernation. > > > > sudo echo disk >/sys/power/state > > ^^^^ > It should work like this, but maybe you should try replacing it with > '/usr/bin/echo' > > HTH, > Andrei The redirection ">" is not taken by sudo. For this only reason, I sometime must log as root. Try "sudo -s" then "echo disk >/sys/power/state" and then exit. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBGyAilDltnDmLJYdARAtiAAJ9XPoUd4ED9tPtDNNfPeu DgBb4FLQCdEBmB /X0VFkjadFi4TZDs49rbPAo= =gQqF -----END PGP SIGNATURE-----

19/08/2007, 10h40	#4
Gilles Mocellin Messages: n/a Hébergeur:	Re: /sys/power/state question with sudoers! Le Sunday 19 August 2007 11:08:42 Gilles Mocellin, vous avez Ã©critÂ: > Le Sunday 19 August 2007 01:00:16 Andrei Popescu, vous avez Ã©critÂ: > > On Sat, Aug 18, 2007 at 03:35:05PM -0500, Gnu_Raiz wrote: > > > cat sudo_file > > > # /etc/sudoers > > > # > > > # This file MUST be edited with the 'visudo' command as root. > > > # > > > # See the man page for details on how to write a sudoers file. > > > #Defaults env_reset > > > > > > # Host alias specification > > > > > > # User alias specification > > > > > > # Cmnd alias specification > > > > > > # User privilege specification > > > > > > root ALL=(ALL) ALL > > > > > > xxxx xxxx=NOPASSWD: /bin/echo, /sbin/, /sys/power/state > > > > ^^^^ ^^^^^^^^^^^^^^^^ > > I assume this is your hostname. \| > > > > As I understand it, sudo provides access to commands, not files. > > > > > Here is the script I am trying to setup. > > > #!/bin/bash > > > > > > #This is a shell script for hibernation. > > > > > > sudo echo disk >/sys/power/state > > > > ^^^^ > > It should work like this, but maybe you should try replacing it with > > '/usr/bin/echo' > > > > HTH, > > Andrei > > The redirection ">" is not taken by sudo. > > For this only reason, I sometime must log as root. Try "sudo -s" then "echo > disk >/sys/power/state" and then exit. I've just read the manpage of sudo, and here's what it says : To make a usage listing of the directories in the /home partition. Note that this runs the commands in a sub-shell to make the cd and file redirection work. $ sudo sh -c "cd /home ; du -s â”‚ sort -rn > USAGE" So, you can do it in on command, sudo is lauching a shell, which is responsible of redirections, pipes, chaining commands... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBGyA8DDltnDmLJYdARAvT5AJ4not9EViu+OwJwJthce0 d4NENZ0gCfTKg/ FrOEMD/+hQZj78q1iJ5Ikhk= =FnDT -----END PGP SIGNATURE-----

19/08/2007, 10h40	#5
Gilles Mocellin Messages: n/a Hébergeur:	Re: /sys/power/state question with sudoers! Le Sunday 19 August 2007 11:08:42 Gilles Mocellin, vous avez Ã©critÂ: > Le Sunday 19 August 2007 01:00:16 Andrei Popescu, vous avez Ã©critÂ: > > On Sat, Aug 18, 2007 at 03:35:05PM -0500, Gnu_Raiz wrote: > > > cat sudo_file > > > # /etc/sudoers > > > # > > > # This file MUST be edited with the 'visudo' command as root. > > > # > > > # See the man page for details on how to write a sudoers file. > > > #Defaults env_reset > > > > > > # Host alias specification > > > > > > # User alias specification > > > > > > # Cmnd alias specification > > > > > > # User privilege specification > > > > > > root ALL=(ALL) ALL > > > > > > xxxx xxxx=NOPASSWD: /bin/echo, /sbin/, /sys/power/state > > > > ^^^^ ^^^^^^^^^^^^^^^^ > > I assume this is your hostname. \| > > > > As I understand it, sudo provides access to commands, not files. > > > > > Here is the script I am trying to setup. > > > #!/bin/bash > > > > > > #This is a shell script for hibernation. > > > > > > sudo echo disk >/sys/power/state > > > > ^^^^ > > It should work like this, but maybe you should try replacing it with > > '/usr/bin/echo' > > > > HTH, > > Andrei > > The redirection ">" is not taken by sudo. > > For this only reason, I sometime must log as root. Try "sudo -s" then "echo > disk >/sys/power/state" and then exit. I've just read the manpage of sudo, and here's what it says : To make a usage listing of the directories in the /home partition. Note that this runs the commands in a sub-shell to make the cd and file redirection work. $ sudo sh -c "cd /home ; du -s â”‚ sort -rn > USAGE" So, you can do it in on command, sudo is lauching a shell, which is responsible of redirections, pipes, chaining commands... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBGyA8DDltnDmLJYdARAvT5AJ4not9EViu+OwJwJthce0 d4NENZ0gCfTKg/ FrOEMD/+hQZj78q1iJ5Ikhk= =FnDT -----END PGP SIGNATURE-----

19/08/2007, 12h00	#6
Andrei Popescu Messages: n/a Hébergeur:	Re: /sys/power/state question with sudoers! On Sun, Aug 19, 2007 at 11:36:03AM +0200, Gilles Mocellin wrote: > I've just read the manpage of sudo, and here's what it says : > > To make a usage listing of the directories in the /home partition. Note that > this runs the commands in a sub-shell to make the cd and file redirection > work. > > $ sudo sh -c "cd /home ; du -s * â”‚ sort -rn > USAGE" > > So, you can do it in on command, sudo is lauching a shell, which is > responsible of redirections, pipes, chaining commands... Please correct me if I'm wrong, but this defeats the purpose of restricting sudo to a certain set of commands. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGyCJCqJyztHCFm9kRAkq7AJ9H98L38JHzYaE2G2qq+X TSd+LuoQCeMITM 5W2/ZoOsm1qYszgDCHTIYYg= =bIBD -----END PGP SIGNATURE-----

19/08/2007, 15h00	#7
Douglas A. Tutty Messages: n/a Hébergeur:	Re: /sys/power/state question with sudoers! On Sun, Aug 19, 2007 at 01:58:10PM +0300, Andrei Popescu wrote: > On Sun, Aug 19, 2007 at 11:36:03AM +0200, Gilles Mocellin wrote: > > > I've just read the manpage of sudo, and here's what it says : > > > > To make a usage listing of the directories in the /home partition. Note that > > this runs the commands in a sub-shell to make the cd and file redirection > > work. > > > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE" > > > > So, you can do it in on command, sudo is lauching a shell, which is > > responsible of redirections, pipes, chaining commands... > > Please correct me if I'm wrong, but this defeats the purpose of > restricting sudo to a certain set of commands. > You could put the command in a script, owned by root, executable by root only, then tell sudo to let you run that command. This should then log that command being run. Doug. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

19/08/2007, 16h10	#8
Ken Irving Messages: n/a Hébergeur:	Re: /sys/power/state question with sudoers! On Sun, Aug 19, 2007 at 01:58:10PM +0300, Andrei Popescu wrote: > On Sun, Aug 19, 2007 at 11:36:03AM +0200, Gilles Mocellin wrote: > > > I've just read the manpage of sudo, and here's what it says : > > > > To make a usage listing of the directories in the /home partition. Note that > > this runs the commands in a sub-shell to make the cd and file redirection > > work. > > > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE" > > > > So, you can do it in on command, sudo is lauching a shell, which is > > responsible of redirections, pipes, chaining commands... > > Please correct me if I'm wrong, but this defeats the purpose of > restricting sudo to a certain set of commands. The command here is 'sh', so this could be restricted as usual. Ken -- Ken Irving, fnkci+debianuser@uaf.edu -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

19/08/2007, 18h00	#10
Andrei Popescu Messages: n/a Hébergeur:	Re: /sys/power/state question with sudoers! On Sun, Aug 19, 2007 at 07:09:29AM -0800, Ken Irving wrote: > > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE" > > > > > > So, you can do it in on command, sudo is lauching a shell, which is > > > responsible of redirections, pipes, chaining commands... > > > > Please correct me if I'm wrong, but this defeats the purpose of > > restricting sudo to a certain set of commands. > > The command here is 'sh', so this could be restricted as usual. Of course you could, but if you're able to run sh what prevents you from using it to run anything else? Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGyHYnqJyztHCFm9kRAs/TAJ9o2cWQZHFZwmfZYetM9oD7w41i3gCeJouG Opy7iPvoGCbF348MyNxrEQk= =tO1n -----END PGP SIGNATURE-----

19/08/2007, 19h00	#11
Ken Irving Messages: n/a Hébergeur:	Re: /sys/power/state question with sudoers! On Sun, Aug 19, 2007 at 07:56:07PM +0300, Andrei Popescu wrote: > On Sun, Aug 19, 2007 at 07:09:29AM -0800, Ken Irving wrote: > > > > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE" > > > > > > > > So, you can do it in on command, sudo is lauching a shell, which is > > > > responsible of redirections, pipes, chaining commands... > > > > > > Please correct me if I'm wrong, but this defeats the purpose of > > > restricting sudo to a certain set of commands. > > > > The command here is 'sh', so this could be restricted as usual. > > Of course you could, but if you're able to run sh what prevents you from > using it to run anything else? I'm probably misunderstanding something (not sure what the OP's question was), but my point was just that you can prevent someone from running sh in the first place -- i.e., they wouldn't be able to do the above operation. Any command/program that is allowed to be run under sudo could be misused if it allows the user to run a shell from within that program. I don't have much experience with using sudo to carefully grant privileges to untrusted users, but I would think one could put something like the above in a script which the user is allowed to run (as I think someone else may have suggested). Ken -- Ken Irving, fnkci+debianuser@uaf.edu -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

19/08/2007, 21h50	#12
Andrei Popescu Messages: n/a Hébergeur:	Re: /sys/power/state question with sudoers! On Sun, Aug 19, 2007 at 09:53:20AM -0800, Ken Irving wrote: > On Sun, Aug 19, 2007 at 07:56:07PM +0300, Andrei Popescu wrote: > > On Sun, Aug 19, 2007 at 07:09:29AM -0800, Ken Irving wrote: > > > > > > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE" > > > > > > > > > > So, you can do it in on command, sudo is lauching a shell, which is > > > > > responsible of redirections, pipes, chaining commands... > > > > > > > > Please correct me if I'm wrong, but this defeats the purpose of > > > > restricting sudo to a certain set of commands. > > > > > > The command here is 'sh', so this could be restricted as usual. > > > > Of course you could, but if you're able to run sh what prevents you from > > using it to run anything else? > > I'm probably misunderstanding something (not sure what the OP's question > was), but my point was just that you can prevent someone from running > sh in the first place -- i.e., they wouldn't be able to do the above > operation. Probably I misunderstood what you meant. The OP was asking for a method to use sudo to allow only certain operations. > Any command/program that is allowed to be run under sudo could be misused > if it allows the user to run a shell from within that program. Yep > I don't have much experience with using sudo to carefully grant > privileges to untrusted users, but I would think one could put something > like the above in a script which the user is allowed to run (as I think > someone else may have suggested). Yes, that should work, and seems to me like the best way to achieve the desired result. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGyKsDqJyztHCFm9kRAoGYAJ9OJj6sxMQAPU4E9Qr7aL 6jjHzuVQCfSdFA zKTc/ZGDqbghznGFpKPNHdo= =0QYS -----END PGP SIGNATURE-----

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email