On 2014-06-10 16:48, Bernhard Voelker wrote:
On 06/10/2014 03:47 PM, Carlos E. R. wrote:
But you may be right, that could be the reason. I have one entry:
cer Telcontar = (news) NOPASSWD: /usr/bin/tailf /var/log/news/news.debug
Obviously "tailf" can be called as plain user, but for use with sudo I needed to input the full path.
It's the other way round: if just "tailf" would be in your sudoers without absolute path, and sudo would first try to resolve it before switching the user, then it would be possible for the local user/attacker to create another script/program with the same name (e.g. with content like "rm -rf /var/spool/news"), put it into a directory which is more at the beginning of $PATH, and then run that arbitrary stuff as user 'news'. I don't think this is wanted ... Absolute paths in sudoers are *good* (and not only there). ;-)
Yes, that's what I'm saying. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)