Mailinglist Archive: opensuse (1468 mails)

< Previous Next >
Re: [opensuse] Need help
  • From: "Boyd Stephen Smith Jr." <bss@xxxxxxxxxxxxxxxxx>
  • Date: Wed, 3 Jun 2009 13:13:59 -0500
  • Message-id: <200906031314.03644.bss@xxxxxxxxxxxxxxxxx>
In <4A26CBE0.23F4.0029.1@xxxxxxxxxxxxx>, Dominique Leuenberger wrote:
On 6/3/2009 at 7:05 PM, Chuck Payne <terrorpup@xxxxxxxxx> wrote:
I need to write a script that gives one use access to stop and start
apache, I don't want to give them sudo.

A friend gave me this c
script.....but it not working is there a way to do this in bash?

No, there's no equivalent to the C language setuid() call in bash.

Also
I know with bash I can do sh -x to debug, how to you debug in c?

Compile with -g3 -ggdb flags and then use gdb.

#include <unistd.h> #include <stdlib.h> #include <string.h>
#define REAL_SH "/usr/local/script/scr.sh"
main(argc, argv)
char **argv;
{
setuid(0);
execv(REAL_SH, argv);
}

this program would require to be set setuid to work properly.

That's:
chmod +s $program
if you want to get it to work.

Then you can
as well give sudo to the user.

Well, not really. As long as the script is written with security in mind,
this C program is not going to be a problem.

For your usecase, sudo might actually be
the good way to go.

I agree. You don't want to give the user access to all commands, just a
few. So, you should add something like:
APACHE_CTL = /sbin/service apache2 *
APACHE_ADM = username

APACHE_ADM ALL=NOPASSWD: APACHE_CTL
to your /etc/sudoers, by using the visudo command.

The first line creates a command alias "APACHE_CTL" (Apache control) that is
equivalent to the "/sbin/service" command with the first argument of
"apache2" and anything as the second argument. I don't have Apache
installed here, you might have to change that first argument to match the
name of the file under /etc/init.d that controls Apache. If he needs access
to a few more commands, you can append them here.

The second line create a user alias "APACHE_ADM" (Apache administrators)
that is equivalent to just one user "username". You could also add yourself
or a group, as needed.

The last line says that APACHE_ADM on any host can run APACHE_CTL as root
without a password.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@xxxxxxxxxxxxxxxxx ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/

< Previous Next >
Follow Ups