Supressing password request from 'sudo'
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Mon Apr 4 00:47:02 UTC 2005
Christopher Browne wrote:
> I don't see the advantage to using the password, here.
>
> If you use the password, that means that for the "other" to be able to
> run the program, they have to have YOUR password, and so have the
> ability to masquerade as you and to do ANYTHING you can do, as you.
>
> I'd be MUCH more comfortable with granting the other users access to
> the particular command "sans password;" while there can be arguments
> made to the effect that that's not 'totally secure,' it seems to me
> that giving out YOUR password represents a ludicrous breach of
> security.
Mhm, I agree. The way I've helped protect against that is the program
checks to make sure that the file with the password is owned by the
user/group the program runs under and has the permissons set to 600. I
tell the user to treat this file with the same caution as the 'passwd'
and 'shadow' files. The user who runs the program is *supposed* to be a
dedicated user account just for running this program as.
Part of my reasoning for this method is that within the program a given
user (there can be multiple) may has restricted access (like being able
to perform searches only). I realize that there is probably no way these
users could get to the shell anyway but I thought it was still a little
safer than using 'nopasswd'.
I think what I will need to do once the program is finished (or rather,
working enough to test against) is see if I can catch the interest of
some security folks. Ask them to see what they think of the security and
see if they have suggestions for making it more secure. In the meantime,
I think I will leave the password in place. That said, I still need an
answer to my problem. :p
Madison
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Madison Kelly (Digimer)
TLE-BU, The Linux Experience; Back Up
http://tle-bu.thelinuxexperience.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list