-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/12/2019 16.17, Anton Aylward wrote:
On 05/12/2019 10:03, David T-G wrote:
Anton, et al --
...and then Anton Aylward said... % % On 04/12/2019 16:58, Carlos E. R. wrote: % > % > find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp ... % > -exec sudo setfacl -m g:users:r '{}' \; % > % > With corresponding sudoers file entries: % % OUCH OUCH OUCH! % % You've max-imalized when you could have minimized. % % Sudo at the 'find' level and you can get rid of the individual sudo. % or just sudo the whole script.
True ... kinda. Recall that he wants to list commands explicitly, which would mean a really interesting sudoers line.
Meanwhile, putting on my Security Freak hat, I wonder if it's more secure to escalate for specific commands as Carlos has or to go ahead and run a single find as root and perhaps go where we shouldn't....
I look at it this way. If he can edit the sudoers configuration file to set up all those individual things then he can log in as root.
Certainly. But I want to do it this way to learn how I would handle the sudoers file for plain users. That user or user would be able to call the script as user, but the script (which maybe only I should be able to edit), does the job or part of the job as root. So usually I pretend to be a plain user in my own system. Then I get tired, and su away. :-D - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXelFjAAKCRC1MxgcbY1H 1dqeAJ44T9sA646iOZZXucnit4Q7qIHo+QCeNwOjj/QLWHgcYD9Ch+Vzxhbk62E= =v2hv -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org