[opensuse] sudo related question
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I wrote a little script to change group owner and permissions of my photo tree: #!/bin/bash find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp /data/storage_b/cer/Pictures.astro -type f \ -exec sudo chgrp cer '{}' \; \ -exec sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec sudo setfacl -m g:users:r '{}' \; With corresponding sudoers file entries: cer Telcontar = (root) /usr/bin/setfacl -m g\:users\:rx * cer Telcontar = (root) /usr/bin/setfacl -m g\:users\:r * cer Telcontar = (root) /usr/bin/chgrp cer * cer Telcontar = (root) /usr/bin/chmod u+r+w+x\,g+w+x\,o-r-w-x\,+t * cer Telcontar = (root) /usr/bin/chmod u+r+w\,g+r+w\,o+r-w-x\,-t * The script works, but there is a nuisance side effect on syslog: thousands of photos, so several times as many long entries: <10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session opened for user root by (uid=0) <10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session closed for user root <4.5> 2019-12-04 22:53:10 Telcontar sudo - - - cer : TTY=pts/83 ; PWD=/data/storage_b/cer ; USER=root ; COMMAND=/usr/bin/chgrp cer /data/storage_b/cer/Pictures/2016/08/DSC_1403.JPG <10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session opened for user root by (uid=0) <10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session closed for user root <4.5> 2019-12-04 22:53:10 Telcontar sudo - - - cer : TTY=pts/83 ; PWD=/data/storage_b/cer ; USER=root ; COMMAND=/usr/bin/chmod u+r+w,g+r+w,o+r-w-x,-t /data/storage_b/cer/Pictures/2016/08/DSC_1403.JPG <10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session opened for user root by (uid=0) <10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session closed for user root <4.5> 2019-12-04 22:53:10 Telcontar sudo - - - cer : TTY=pts/83 ; PWD=/data/storage_b/cer ; USER=root ; COMMAND=/usr/bin/setfacl -m g:users:r /data/storage_b/cer/Pictures/2016/08/DSC_1403.JPG <10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session opened for user root by (uid=0) <10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session closed for user root This spams my log file and makes the script much slower. Ideas? I can of course run the script directly as root. sudo find? With a loooong sudoers line, more "dangerous" when I put the '*' somewhere - I can't put the entire script. sudo script? I thought that was forbidden. I can not try anything now, the script has not finished... - -- Cheers Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXegr/xwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVls8Anjp0Nq2+1ZUGf/zDkOtb zpeycaldAKCDajGo5hQkExItb39y5y2IeoT/oA== =SnEm -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/150bb68600b6f4527c14c79e81e90f53.jpg?s=120&d=mm&r=g)
On Wed, 4 Dec 2019 22:58:23 +0100 (CET) "Carlos E. R." <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I wrote a little script to change group owner and permissions of my photo tree:
#!/bin/bash
find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp /data/storage_b/cer/Pictures.astro -type f \ -exec sudo chgrp cer '{}' \; \ -exec sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec sudo setfacl -m g:users:r '{}' \;
With corresponding sudoers file entries:
cer Telcontar = (root) /usr/bin/setfacl -m g\:users\:rx * cer Telcontar = (root) /usr/bin/setfacl -m g\:users\:r * cer Telcontar = (root) /usr/bin/chgrp cer * cer Telcontar = (root) /usr/bin/chmod u+r+w+x\,g+w+x\,o-r-w-x\,+t * cer Telcontar = (root) /usr/bin/chmod u+r+w\,g+r+w\,o+r-w-x\,-t *
The script works, but there is a nuisance side effect on syslog: thousands of photos, so several times as many long entries:
<10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session opened for user root by (uid=0) <10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session closed for user root <4.5> 2019-12-04 [snip]
This spams my log file and makes the script much slower.
Ideas?
I can of course run the script directly as root.
That's what I would do.
sudo find? With a loooong sudoers line, more "dangerous" when I put the '*' somewhere - I can't put the entire script.
why do you need any sudoers line at all?
sudo script? I thought that was forbidden.
I can not try anything now, the script has not finished...
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/12/2019 00.08, Dave Howorth wrote:
On Wed, 4 Dec 2019 22:58:23 +0100 (CET) "Carlos E. R." <> wrote:
<10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session opened for user root by (uid=0) <10.6> 2019-12-04 22:53:10 Telcontar sudo - - - pam_unix(sudo:session): session closed for user root <4.5> 2019-12-04 [snip]
This spams my log file and makes the script much slower.
Ideas?
I can of course run the script directly as root.
That's what I would do.
Yes, I got tired of waiting yesterday (it had done less than half the files) and id just that. Still, I'd like to do it "properly" ;-)
sudo find? With a loooong sudoers line, more "dangerous" when I put the '*' somewhere - I can't put the entire script.
why do you need any sudoers line at all?
Because my sudo configuration refuses any command that is not explicitly listed. And uses the user's password, not root's. This is on purpose. - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXej+ygAKCRC1MxgcbY1H 1RmBAJ9R18vYgSbGwZuMiEKuPHF6qcJZRQCeJSc8C32RcTSUdIOEM3FlpTAN+uY= =aKFz -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/1d1201a6224c340b67e1a7ee29f57504.jpg?s=120&d=mm&r=g)
Carlos, et al -- ...and then Carlos E. R. said... % % On 05/12/2019 00.08, Dave Howorth wrote: % ... % > why do you need any sudoers line at all? % % Because my sudo configuration refuses any command that is not [snip] Then you'd definitely want ... | xargs -0 sudo /path/to/fixit.sh from my earlier suggestion. QTBD :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/12/2019 15.03, David T-G wrote:
Carlos, et al --
...and then Carlos E. R. said... % % On 05/12/2019 00.08, Dave Howorth wrote: % ... % > why do you need any sudoers line at all? % % Because my sudo configuration refuses any command that is not [snip]
Then you'd definitely want
... | xargs -0 sudo /path/to/fixit.sh
from my earlier suggestion.
maybe (in sudoers): cer Telcontar = (root) /bin/bash \ /data/storage_b/cer/./0_Change_PicturesPerms_via_sudo will be the easiest (then I don't need two scripts: one script calls fixit.sh) I might try xargs in the script, it would run faster. With the caveat that we are talking of about 15000 files with paths, more than fits the line command buffer - unless xargs knows to split in several lines. I don't remember if it does. I just thought that sudoers did not allow scripts. - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXekSrwAKCRC1MxgcbY1H 1XJGAJ9DCIBxoqEchw2uHksVKLxcL31F3gCdFxva/e3wVZT0o/gWmedggLqJNiw= =/b1+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/1d1201a6224c340b67e1a7ee29f57504.jpg?s=120&d=mm&r=g)
Carlos, et al -- ...and then Carlos E. R. said... % % maybe (in sudoers): % % cer Telcontar = (root) /bin/bash \ % /data/storage_b/cer/./0_Change_PicturesPerms_via_sudo % % will be the easiest (then I don't need two scripts: one script calls % fixit.sh) Yes, but get rid of the /bin/bash and just call the script, and you can get rid of the superfluous ./ in the middle as well. % % I might try xargs in the script, it would run faster. With the caveat % that we are talking of about 15000 files with paths, more than fits % the line command buffer - unless xargs knows to split in several % lines. I don't remember if it does. Yes, it does; that is its purpose. % % I just thought that sudoers did not allow scripts. It does. Next (as noted in your next email) you should put that script somewhere where only root can write it and take it away from yourself. QTBN :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/12/2019 01.42, David T-G wrote:
Carlos, et al --
...and then Carlos E. R. said... % % maybe (in sudoers): % % cer Telcontar = (root) /bin/bash \ % /data/storage_b/cer/./0_Change_PicturesPerms_via_sudo % % will be the easiest (then I don't need two scripts: one script calls % fixit.sh)
Yes, but get rid of the /bin/bash and just call the script, and you can get rid of the superfluous ./ in the middle as well.
That ./ is just a typo. Done.
% % I might try xargs in the script, it would run faster. With the caveat % that we are talking of about 15000 files with paths, more than fits % the line command buffer - unless xargs knows to split in several % lines. I don't remember if it does.
Yes, it does; that is its purpose.
Ok. How do I change: find /data/storage_b/cer/Pictures -type d \ -exec chgrp cer '{}' \; \ -exec chmod u+r+w+x,g+w+x,o-r-w-x,-t '{}' \; \ -exec setfacl -m g:users:rx '{}' \; \ -exec setfacl -m g:cer:rwx '{}' \; to using xargs? find /data/storage_b/cer/Pictures -type d -print0 | xargs -0 \ -exec chgrp cer '{}' \; \ -exec chmod u+r+w+x,g+w+x,o-r-w-x,-t '{}' \; \ -exec setfacl -m g:users:rx '{}' \; \ -exec setfacl -m g:cer:rwx '{}' \; That I know is wrong. I want xargs to call several commands and to place the file name at the correct place for each. I look at the few examples in the man page, and I only see how to call a single command. Of course I could call another script, but I do not want to keep two scripts. Can xargs call a function that only exists inside the script? I think not.
% % I just thought that sudoers did not allow scripts.
It does.
Next (as noted in your next email) you should put that script somewhere where only root can write it and take it away from yourself.
Ah, it is there because seeing it there is how I know it exists and the name. - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXevA/wAKCRC1MxgcbY1H 1ZYUAJ9cHqfmAvRSXlnszE1Q8E5tVZsiQwCdHRTbpIJL+N6Q9upmwVL2a2GM5K4= =m2o4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/638c5f9b9a41e53d4663197a58261c49.jpg?s=120&d=mm&r=g)
Hello, On Sat, 07 Dec 2019, Carlos E. R. wrote:
On 07/12/2019 01.42, David T-G wrote: [..]
% % I might try xargs in the script, it would run faster. With the caveat % that we are talking of about 15000 files with paths, more than fits % the line command buffer - unless xargs knows to split in several % lines. I don't remember if it does.
Yes, it does; that is its purpose.
Ok. How do I change:
find /data/storage_b/cer/Pictures -type d \ -exec chgrp cer '{}' \; \ -exec chmod u+r+w+x,g+w+x,o-r-w-x,-t '{}' \; \ -exec setfacl -m g:users:rx '{}' \; \ -exec setfacl -m g:cer:rwx '{}' \;
to using xargs?
Just replace those '\;' with '+'. As in: find /data/storage_b/cer/Pictures -type d \ -exec chgrp cer '{}' + \ -exec chmod u+r+w+x,g+w+x,o-r-w-x,-t '{}' + \ -exec setfacl -m g:users:rx '{}' + \ -exec setfacl -m g:cer:rwx '{}' + If you're using a (bourne) shell as program, beware of the arg-null trap, as exemplified by: WRONG: $ find /tmp/dh/ -type f -name 't.*' \ -exec /bin/sh -c 'echo "[$0] a: $@"' {} + \ -exec /bin/sh -c 'echo "[$0] b: $@"' {} + [/tmp/dh/t.pl] a: /tmp/dh/t.c /tmp/dh/t.dat /tmp/dh/t.sh [/tmp/dh/t.pl] b: /tmp/dh/t.c /tmp/dh/t.dat /tmp/dh/t.sh vs. CORRECT: $ find /tmp/dh/ -type f -name 't.*' \ -exec /bin/sh -c 'echo "[$0] a: $@"' find-bash {} + \ -exec /bin/sh -c 'echo "[$0] b: $@"' find-bash {} + [find-bash] a: /tmp/dh/t.pl /tmp/dh/t.c /tmp/dh/t.dat /tmp/dh/t.sh [find-bash] b: /tmp/dh/t.pl /tmp/dh/t.c /tmp/dh/t.dat /tmp/dh/t.sh Using '--' instead of some other string is ok too. Same goes for using 'sh -c ... {} \;' as well, e.g.: $ find /tmp/dh/ -type f -name 't.*' \ -exec /bin/sh -c 'echo "[$0] a: $@"' {} \; \ -exec /bin/sh -c 'echo "[$0] b: $@"' -- {} \; [/tmp/dh/t.pl] a: [--] b: /tmp/dh/t.pl [/tmp/dh/t.c] a: [--] b: /tmp/dh/t.c [/tmp/dh/t.dat] a: [--] b: /tmp/dh/t.dat [/tmp/dh/t.sh] a: [--] b: /tmp/dh/t.sh Alternatively, you could put all that -exec stuff into a (second) script and call that (no need to sudo again there, and no need to invoke bash explicitly, running the find (packed in a script and calling that via 'sh script') via sudo suffices[1]): ==== find /data/storage_b/cer/Pictures -type d -exec second_script {} + ==== second_script ==== #!/bin/bash for f; do chgrp cer "$f" chmod u+r+w+x,g+w+x,o-r-w-x,-t "$f" setfacl -m g:users:rx "$f" setfacl -m g:cer:rwx "$f" done ==== And as another alternative, you could put that "second_script" as an argument to find .. -exec /bin/bash -c ... {} + ==== find /data/storage_b/cer/Pictures -type d \ -exec bash -c ' for f; do chgrp cer "$f" chmod u+r+w+x,g+w+x,o-r-w-x,-t "$f" setfacl -m g:users:rx "$f" setfacl -m g:cer:rwx "$f" done ' find-bash {} + ==== as exemplified by: $ find /tmp/dh/ -type f -name 't.*' \ -exec /bin/sh -c \ 'for f; do echo "[$0] a: $f"; echo "[$0] b: $f"; done' find-bash {} + [find-bash] a: /tmp/dh/t.pl [find-bash] b: /tmp/dh/t.pl [find-bash] a: /tmp/dh/t.c [find-bash] b: /tmp/dh/t.c [find-bash] a: /tmp/dh/t.dat [find-bash] b: /tmp/dh/t.dat [find-bash] a: /tmp/dh/t.sh [find-bash] b: /tmp/dh/t.sh As long as quoting "inside" the sh -c '' is easy, as in this case, this is what I'd go for. And note the difference in the sequence of how files are handled compared to the -exec .. -exec case above. If you care about timestamps and do some time-consuming stuff, it might be preferable to call process a on file 1, then b on 1, and only the a and b on 2, on 3 etc. For anything more complicated, I'd probably use perl ;) Oh, and don't use xargs unless you really need to. Confused yet? Any more questions? ... and HTH, -dnh PS: I love my sigmonster at times! :) Cue: ed --
he/she/it I think alt.peeves determined that the correct term to use here is "s/h/it". If you want, but doesn't titat make messages itard to read? -- Chris Rovers, Dave Brown and Peter da Silva
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/0e482cdf263bd0e0421da766878b774c.jpg?s=120&d=mm&r=g)
On 07/12/2019 17.51, David Haller wrote:
Hello,
On Sat, 07 Dec 2019, Carlos E. R. wrote:
On 07/12/2019 01.42, David T-G wrote: [..]
% % I might try xargs in the script, it would run faster. With the caveat % that we are talking of about 15000 files with paths, more than fits % the line command buffer - unless xargs knows to split in several % lines. I don't remember if it does.
Yes, it does; that is its purpose.
Ok. How do I change:
find /data/storage_b/cer/Pictures -type d \ -exec chgrp cer '{}' \; \ -exec chmod u+r+w+x,g+w+x,o-r-w-x,-t '{}' \; \ -exec setfacl -m g:users:rx '{}' \; \ -exec setfacl -m g:cer:rwx '{}' \;
to using xargs?
Just replace those '\;' with '+'. As in:
find /data/storage_b/cer/Pictures -type d \ -exec chgrp cer '{}' + \ -exec chmod u+r+w+x,g+w+x,o-r-w-x,-t '{}' + \ -exec setfacl -m g:users:rx '{}' + \ -exec setfacl -m g:cer:rwx '{}' +
No, but the question now is using xargs instead. You propose interesting alternatives, but I don't see the advantage :-? ...
For anything more complicated, I'd probably use perl ;)
Oh, and don't use xargs unless you really need to.
The advantage with xargs is, I assume, that it does ghgrp args----verylonglinewithathousandfilesatonce Considering that I have 10000 photos in at least two formats, that's many files to change and takes minutes to run. I know how to do that calling another script. Maybe the same script with a switch. But not without a helper script. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
![](https://seccdn.libravatar.org/avatar/638c5f9b9a41e53d4663197a58261c49.jpg?s=120&d=mm&r=g)
Hello, On Sat, 07 Dec 2019, Carlos E.R. wrote:
On 07/12/2019 17.51, David Haller wrote:
On Sat, 07 Dec 2019, Carlos E. R. wrote:
On 07/12/2019 01.42, David T-G wrote: [..]
% % I might try xargs in the script, it would run faster. With the caveat % that we are talking of about 15000 files with paths, more than fits % the line command buffer - unless xargs knows to split in several % lines. I don't remember if it does.
Yes, it does; that is its purpose.
Ok. How do I change:
find /data/storage_b/cer/Pictures -type d \ -exec chgrp cer '{}' \; \ -exec chmod u+r+w+x,g+w+x,o-r-w-x,-t '{}' \; \ -exec setfacl -m g:users:rx '{}' \; \ -exec setfacl -m g:cer:rwx '{}' \;
to using xargs?
Just replace those '\;' with '+'. As in:
find /data/storage_b/cer/Pictures -type d \ -exec chgrp cer '{}' + \ -exec chmod u+r+w+x,g+w+x,o-r-w-x,-t '{}' + \ -exec setfacl -m g:users:rx '{}' + \ -exec setfacl -m g:cer:rwx '{}' +
No, but the question now is using xargs instead.
You propose interesting alternatives, but I don't see the advantage :-? [..] The advantage with xargs is, I assume, that it does
ghgrp args----verylonglinewithathousandfilesatonce
'xargs whatever' fills the commandline to about $(getconf ARG_MAX) i.e. calls 'whatever' with about the max possible argument length. 'find .. -exec whatever .. {} +' does the same, i.e. calls 'whatever' with about the max possible argument length. -dnh -- ``I think I recently decided that if pain is the body's way of saying "Wow, shit, stop! Something is wrong here!", then painkillers are our way of saying "Lalalala! I can't hear you!"'' -- Simon Cozens -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/12/2019 21.19, David Haller wrote:
Hello,
On Sat, 07 Dec 2019, Carlos E.R. wrote:
On 07/12/2019 17.51, David Haller wrote:
On Sat, 07 Dec 2019, Carlos E. R. wrote:
On 07/12/2019 01.42, David T-G wrote: [..]
No, but the question now is using xargs instead.
You propose interesting alternatives, but I don't see the advantage :-? [..] The advantage with xargs is, I assume, that it does
ghgrp args----verylonglinewithathousandfilesatonce
'xargs whatever' fills the commandline to about $(getconf ARG_MAX) i.e. calls 'whatever' with about the max possible argument length.
'find .. -exec whatever .. {} +' does the same, i.e. calls 'whatever' with about the max possible argument length.
It did not, when whatever was sudo chgrp... it did a sudo at a time. I have thousands of such lines in the log till I aborted. - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXewj8gAKCRC1MxgcbY1H 1Wx6AJ4xAksEGtIX/wFBrL69LAv+6XP2cACeMhLFtj+1s0iwL0uxphFI8kENY7o= =9vD1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/638c5f9b9a41e53d4663197a58261c49.jpg?s=120&d=mm&r=g)
Hello, On Sat, 07 Dec 2019, Carlos E. R. wrote:
On 07/12/2019 21.19, David Haller wrote:
On Sat, 07 Dec 2019, Carlos E.R. wrote:
On 07/12/2019 17.51, David Haller wrote:
On Sat, 07 Dec 2019, Carlos E. R. wrote:
On 07/12/2019 01.42, David T-G wrote: [..] No, but the question now is using xargs instead.
You propose interesting alternatives, but I don't see the advantage :-? [..] The advantage with xargs is, I assume, that it does
ghgrp args----verylonglinewithathousandfilesatonce
'xargs whatever' fills the commandline to about $(getconf ARG_MAX) i.e. calls 'whatever' with about the max possible argument length.
'find .. -exec whatever .. {} +' does the same, i.e. calls 'whatever' with about the max possible argument length.
It did not, when whatever was
sudo chgrp...
it did a sudo at a time. I have thousands of such lines in the log till I aborted.
You were using 'find .. -exec whatever .. {} \;' then! ';' != '+'! HTH, -dnh -- There are some people who clearly shouldn't be put in charge of any office-equipment more technical than a blunt finger dipped in water-soluble ink. -- Tanuki -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/1d1201a6224c340b67e1a7ee29f57504.jpg?s=120&d=mm&r=g)
Carlos, et al -- ...and then Carlos E.R. said... % % The advantage with xargs is, I assume, that it does % % ghgrp args----verylonglinewithathousandfilesatonce It does. You call your command fewer times by sending it lots of args each time. % % Considering that I have 10000 photos in at least two formats, that's % many files to change and takes minutes to run. Yep. Worse, you want to do multiple things to each file, which is where it gets really interesting. % % I know how to do that calling another script. Maybe the same script with % a switch. But not without a helper script. The real trick is capturing the input args to reuse across multiple commands, because for FILE do chmod X $FILE chgrp Y $FILE done is just as painful. I whipped up a little test directory of 90k files davidtg@gezebel:~> ls /var/tmp/X | head -5 ; ls /var/tmp/X | tail -5 ; ls /var/tmp/X | wc -l 010000 010001 010002 010003 010004 099995 099996 099997 099998 099999 90000 and a little script davidtg@gezebel:~> cat /tmp/X.sh #!/bin/sh CM() { ### show what we got CMWC=`echo $* | wc -cw` printf "CMWC $CMWC\t1 = $1\n" # begin code here chmod 000 $* } CG() { ### show what we got CGWC=`echo $* | wc -cw` printf "CGWC $CGWC\t1 = $1\n" # begin code here chgrp users $* } # grab command line and see what we have WC=`echo $* | wc -cw` printf "PID $$\n WC $WC\t1 = $1\t2 = $2\t3 = $3\n" # call chmod function shift ### drain an arg to prove function input CM $* # call chgrp function shift ### drain an arg to prove function input CG $* echo '' to demo. You can see that I grab the number of chars and words on the command line and then strip off an arg as I pass the list to each function. Here is a partial run davidtg@gezebel:~> find /var/tmp/X -type f -print0 | xargs -0 /tmp/X.sh PID 20310 WC 7281 131058 1 = /var/tmp/X/010000 2 = /var/tmp/X/010001 3 = /var/tmp/X/010002 CMWC 7280 131040 1 = /var/tmp/X/010001 CGWC 7279 131022 1 = /var/tmp/X/010002 PID 20322 WC 7281 131058 1 = /var/tmp/X/017281 2 = /var/tmp/X/017282 3 = /var/tmp/X/017283 CMWC 7280 131040 1 = /var/tmp/X/017282 CGWC 7279 131022 1 = /var/tmp/X/017283 PID 20335 WC 7281 131058 1 = /var/tmp/X/024562 2 = /var/tmp/X/024563 3 = /var/tmp/X/024564 CMWC 7280 131040 1 = /var/tmp/X/024563 CGWC 7279 131022 1 = /var/tmp/X/024564 PID 20347 WC 7281 131058 1 = /var/tmp/X/031843 2 = /var/tmp/X/031844 3 = /var/tmp/X/031845 CMWC 7280 131040 1 = /var/tmp/X/031844 CGWC 7279 131022 1 = /var/tmp/X/031845 ^C that I cut short just because I didn't want to paste the full 60-70 lines here :-) Now ... How many of your files have evil spaces in them to mess up the calls to the functions? I used -print0 and -0 but didn't really put any smarts in the demo script ... mostly because I didn't think of it when running my files loop :-) You may want to play with $@ instead to try to retain formatting. Meanwhile, you could very likely also put all of your find logic inside this script to generate the list and just pass it a list of directories to process if you're still worried about extra scripts. You need to call sudo in there somewhere, and since you like to list commands explicitly I'd lean toaard sudo /path/to/fixit.sh /dir/1 /other/2 /elsewhere/3 for just one sudo call. YMMV, of course :-) % % -- % Cheers / Saludos, % % Carlos E. R. % (from 15.1 x86_64 at Telcontar) HTH & HAND :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/1d1201a6224c340b67e1a7ee29f57504.jpg?s=120&d=mm&r=g)
Carlos -- ...and then Carlos E. R. said... % % I wrote a little script to change group owner and permissions of my photo tree: % % #!/bin/bash % % find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp /data/storage_b/cer/Pictures.astro -type f \ % -exec sudo chgrp cer '{}' \; \ % -exec sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ % -exec sudo setfacl -m g:users:r '{}' \; [snip] Try find /here /there -print0 | xargs -0 sudo /path/to/fixit.sh or perhaps ... sudo xargs -0 ... if that's still too spammy. HTH & que tenga buen noche :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/638c5f9b9a41e53d4663197a58261c49.jpg?s=120&d=mm&r=g)
Hello, On Wed, 04 Dec 2019, Carlos E. R. wrote:
#!/bin/bash
find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp /data/storage_b/cer/Pictures.astro -type f \ -exec sudo chgrp cer '{}' \; \ -exec sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec sudo setfacl -m g:users:r '{}' \;
With corresponding sudoers file entries:
cer Telcontar = (root) /usr/bin/setfacl -m g\:users\:rx * cer Telcontar = (root) /usr/bin/setfacl -m g\:users\:r * cer Telcontar = (root) /usr/bin/chgrp cer * cer Telcontar = (root) /usr/bin/chmod u+r+w+x\,g+w+x\,o-r-w-x\,+t * cer Telcontar = (root) /usr/bin/chmod u+r+w\,g+r+w\,o+r-w-x\,-t *
Why not use numeric modes here, should be much easier to read: chmod 0660 chmod 1770
sudo script? I thought that was forbidden.
Just use: sudo /bin/bash script HTH, -dnh -- Only wimps use tape backup: _real_ men just upload their important stuff on ftp, and let the rest of the world mirror it ;) -- Linus Torvalds -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/12/2019 02.41, David Haller wrote:
Hello,
On Wed, 04 Dec 2019, Carlos E. R. wrote:
#!/bin/bash
find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp /data/storage_b/cer/Pictures.astro -type f \ -exec sudo chgrp cer '{}' \; \ -exec sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec sudo setfacl -m g:users:r '{}' \;
With corresponding sudoers file entries:
cer Telcontar = (root) /usr/bin/setfacl -m g\:users\:rx * cer Telcontar = (root) /usr/bin/setfacl -m g\:users\:r * cer Telcontar = (root) /usr/bin/chgrp cer * cer Telcontar = (root) /usr/bin/chmod u+r+w+x\,g+w+x\,o-r-w-x\,+t * cer Telcontar = (root) /usr/bin/chmod u+r+w\,g+r+w\,o+r-w-x\,-t *
Why not use numeric modes here, should be much easier to read:
chmod 0660 chmod 1770
Not to me, the text is easier to read :-) Numeric mode makes me consult my tables or do maths
sudo script? I thought that was forbidden.
Just use: sudo /bin/bash script
Ah! I'll try that. - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXej7+AAKCRC1MxgcbY1H 1coNAJ48Q7sXeutcYEd2aV9Wk5D54LZbTACgkG6mpv7OTTHq8WG4h9+b9LqokrU= =OBtQ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/1d1201a6224c340b67e1a7ee29f57504.jpg?s=120&d=mm&r=g)
Carlos, et al -- ...and then Carlos E. R. said... % % On 05/12/2019 02.41, David Haller wrote: % > % > On Wed, 04 Dec 2019, Carlos E. R. wrote: % >> ... % >> /usr/bin/chmod u+r+w+x\,g+w+x\,o-r-w-x\,+t * cer Telcontar = % >> (root) /usr/bin/chmod u+r+w\,g+r+w\,o+r-w-x\,-t * % > % > Why not use numeric modes here, should be much easier to read: % > % > chmod 0660 chmod 1770 % % Not to me, the text is easier to read :-) You could, FWIW, simplify those as u+rwx,o-rwx # u+a,g-a ... o+r-wx to make the reading simpler. It's a little change, but maybe helpful. % % Numeric mode makes me consult my tables or do maths [snip] *grin* I get it, even though I'm one of those that can just look at octal and see the perms :-) HAND :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
On 05/12/2019 15.00, David T-G wrote:
Carlos, et al --
...and then Carlos E. R. said... % % On 05/12/2019 02.41, David Haller wrote: % > % > On Wed, 04 Dec 2019, Carlos E. R. wrote: %
... % >> /usr/bin/chmod u+r+w+x\,g+w+x\,o-r-w-x\,+t * cer Telcontar = % >> (root) /usr/bin/chmod u+r+w\,g+r+w\,o+r-w-x\,-t * % > % > Why not use numeric modes here, should be much easier to read: % > % > chmod 0660 chmod 1770 % % Not to me, the text is easier to read :-)
You could, FWIW, simplify those as
u+rwx,o-rwx # u+a,g-a ... o+r-wx
to make the reading simpler. It's a little change, but maybe helpful.
But to me it is easier as I wrote it :-) chmod u+r+w,g+r+w,o+r-w-x,-t The escapes are for the sudoers, not for the command itself. Sudoers doesn't like the commas. So your version would end in the sudoers file like this:
u+rwx\,o-rwx
% % Numeric mode makes me consult my tables or do maths [snip]
*grin* I get it, even though I'm one of those that can just look at octal and see the perms :-)
:-) To me, I would do it like "+++++?+--". Ie, the same as "ls -" prints them. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
![](https://seccdn.libravatar.org/avatar/1d1201a6224c340b67e1a7ee29f57504.jpg?s=120&d=mm&r=g)
Carlos, et al -- ...and then Carlos E. R. said... % % On 05/12/2019 15.00, David T-G wrote: % > ... % > u+rwx,o-rwx # u+a,g-a ... o+r-wx [That's not quite how I wrote those two lines, BTW ...] % > % > to make the reading simpler. It's a little change, but maybe % > helpful. % % But to me it is easier as I wrote it :-) % % chmod u+r+w,g+r+w,o+r-w-x,-t Fair enough :-) There are lots of ways to get to the same thing -- of course! % % The escapes are for the sudoers, not for the command itself. Sudoers % doesn't like the commas. % % So your version would end in the sudoers file like this: % % > u+rwx\,o-rwx Agreed. I was being lazy :-) % % > % % Numeric mode makes me consult my tables or do maths [snip] % > % > *grin* I get it, even though I'm one of those that can just look % > at octal and see the perms :-) % % :-) % % To me, I would do it like "+++++?+--". Ie, the same as "ls -" prints them. I could see that. It would be nice if chmod suported a 9-char input mode so that you could do that! % % % -- % Cheers / Saludos, % % Carlos E. R. % (from 15.1 x86_64 at Telcontar) % QTBD :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/12/2019 13.46, Carlos E. R. wrote:
On 05/12/2019 02.41, David Haller wrote:
Hello,
sudo script? I thought that was forbidden.
Just use: sudo /bin/bash script
Ah! I'll try that.
It works. /etc/sudoers: cer Telcontar = (root) /bin/bash /data/storage_b/cer/0_Cambiar_Permisos_Pictures_as_root Using it: cer@Telcontar:/data/storage_b/cer> sudo /bin/bash /data/storage_b/cer/0_Cambiar_Permisos_Pictures_as_root [sudo] password for cer: cer@Telcontar:/data/storage_b/cer> Takes its time. But currently it is a security hole, as the script is owned by me-as-user (who can edit it) and thus do anything as me-as-root
cer@Telcontar:/data/storage_b/cer> l /data/storage_b/cer/0_Cambiar_Permisos_Pictures_as_root -rwxr--r-- 1 cer users 939 Dec 4 23:02 /data/storage_b/cer/0_Cambiar_Permisos_Pictures_as_root* cer@Telcontar:/data/storage_b/cer>
- -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXelHfgAKCRC1MxgcbY1H 1bMMAKCOGEXv8g1KPTRmaMRipCtfQsjsDQCgmS6mARmEyVZ8/FF1yEM2zn6fNgs= =JOz6 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/cabdbf4d350ab6a15265803acab1634d.jpg?s=120&d=mm&r=g)
On 04/12/2019 16:58, Carlos E. R. wrote:
find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp /data/storage_b/cer/Pictures.astro -type f \ -exec sudo chgrp cer '{}' \; \ -exec sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec sudo setfacl -m g:users:r '{}' \;
With corresponding sudoers file entries:
OUCH OUCH OUCH! You've max-imalized when you could have minimized. Sudo at the 'find' level and you can get rid of the individual sudo. or just sudo the whole script. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/12/2019 15.11, Anton Aylward wrote:
On 04/12/2019 16:58, Carlos E. R. wrote:
find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp /data/storage_b/cer/Pictures.astro -type f \ -exec sudo chgrp cer '{}' \; \ -exec sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec sudo setfacl -m g:users:r '{}' \;
With corresponding sudoers file entries:
OUCH OUCH OUCH!
You've max-imalized when you could have minimized.
Sudo at the 'find' level and you can get rid of the individual sudo. or just sudo the whole script.
I thought that sudoers do not allow scripts, only binaries. Other people can alter the script and thus access any command. Security hole. - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXekTAAAKCRC1MxgcbY1H 1VwkAJ9LqOT2s6GbTaiCRkSzQZHmkiGWbQCePqQjoPH9zaLYKl9/zy7LqbBfBO8= =nH7O -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/cabdbf4d350ab6a15265803acab1634d.jpg?s=120&d=mm&r=g)
On 05/12/2019 09:24, Carlos E. R. wrote:
I thought that sudoers do not allow scripts, only binaries. Other people can alter the script and thus access any command. Security hole.
SUDO is a raft of security holes. So is SU So is PAM The whole setuid concept is security tunnel. There are many hi-risk situations like biological virus research labs were something akin to this would never be allowed. We'd be talking "Andromeda Strain" extinction event! https://en.wikipedia.org/wiki/Extraterrestrial_sample_curation But this is what the Gods of UNIX handed down to us and this is what we have to live with. Of you don't like it you can remove SUDO (and SU). If you really don't like it you can patch the kernel so that setuid can't happen. Category 5 containment. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/1d1201a6224c340b67e1a7ee29f57504.jpg?s=120&d=mm&r=g)
Carlos -- ...and then Carlos E. R. said... % % I thought that sudoers do not allow scripts, only binaries. Other % people can alter the script and thus access any command. Security hole. It'll let you run whatever you want, be it script or executable, and with or without specific or any args. And /bin/bash /path/to/fixit.sh is just as insecure as /path/to/fixit.sh may be; the important thing is to make the script secure [enough for your installation.] HTH & QTBN :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/aea1d8248292e6482742234c5cb514de.jpg?s=120&d=mm&r=g)
On 2019/12/05 06:24, Carlos E. R. wrote:
I thought that sudoers do not allow scripts, only binaries. Other people can alter the script and thus access any command. Security hole.
--- Whoever says sudo can execute script 'X' ensures it is only writeable or changeable by authorized users -- same issue that exists for binaries. I.e. I can put a fake /usr/bin/cp in place if 'cp' is writeable in /usr/bin. If it is not, then wouldn't it be a safe place to put a r+x script as well? I think you are confusing "setuid" being safe or not with scripts. Historically, that hasn't been safe on all OS's, because the OS invokes another program and then hands the name to it, there being a split between access check and privilege usage. I don't know if linux does it or not, but if the script's file-handle is passed to the interpreter instead, I believe that is supposed to be safe, but I wouldn't assume that is done anywhere until it was tested. I'd tend toward thinking it doesn't work since a program would have to be able to accept either a filename or file-handle to have that work. -l -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/1d1201a6224c340b67e1a7ee29f57504.jpg?s=120&d=mm&r=g)
Anton, et al -- ...and then Anton Aylward said... % % On 04/12/2019 16:58, Carlos E. R. wrote: % > % > find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp ... % > -exec sudo setfacl -m g:users:r '{}' \; % > % > With corresponding sudoers file entries: % % OUCH OUCH OUCH! % % You've max-imalized when you could have minimized. % % Sudo at the 'find' level and you can get rid of the individual sudo. % or just sudo the whole script. True ... kinda. Recall that he wants to list commands explicitly, which would mean a really interesting sudoers line. Meanwhile, putting on my Security Freak hat, I wonder if it's more secure to escalate for specific commands as Carlos has or to go ahead and run a single find as root and perhaps go where we shouldn't.... :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/cabdbf4d350ab6a15265803acab1634d.jpg?s=120&d=mm&r=g)
On 05/12/2019 10:03, David T-G wrote:
Anton, et al --
...and then Anton Aylward said... % % On 04/12/2019 16:58, Carlos E. R. wrote: % > % > find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp ... % > -exec sudo setfacl -m g:users:r '{}' \; % > % > With corresponding sudoers file entries: % % OUCH OUCH OUCH! % % You've max-imalized when you could have minimized. % % Sudo at the 'find' level and you can get rid of the individual sudo. % or just sudo the whole script.
True ... kinda. Recall that he wants to list commands explicitly, which would mean a really interesting sudoers line.
Meanwhile, putting on my Security Freak hat, I wonder if it's more secure to escalate for specific commands as Carlos has or to go ahead and run a single find as root and perhaps go where we shouldn't....
I look at it this way. If he can edit the sudoers configuration file to set up all those individual things then he can log in as root. GAME OVER as far as security is concerned. https://www.michaelwlucas.com/nonfiction/sudo-mastery Me? I'm a dinosaur, I'm in the 'wheel' group. https://en.wikipedia.org/wiki/Wheel_(computing) [now why it was 'big wheel' rather than 'big cheese' is anyone's guess] https://access.redhat.com/discussions/1392033 -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/12/2019 16.17, Anton Aylward wrote:
On 05/12/2019 10:03, David T-G wrote:
Anton, et al --
...and then Anton Aylward said... % % On 04/12/2019 16:58, Carlos E. R. wrote: % > % > find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp ... % > -exec sudo setfacl -m g:users:r '{}' \; % > % > With corresponding sudoers file entries: % % OUCH OUCH OUCH! % % You've max-imalized when you could have minimized. % % Sudo at the 'find' level and you can get rid of the individual sudo. % or just sudo the whole script.
True ... kinda. Recall that he wants to list commands explicitly, which would mean a really interesting sudoers line.
Meanwhile, putting on my Security Freak hat, I wonder if it's more secure to escalate for specific commands as Carlos has or to go ahead and run a single find as root and perhaps go where we shouldn't....
I look at it this way. If he can edit the sudoers configuration file to set up all those individual things then he can log in as root.
Certainly. But I want to do it this way to learn how I would handle the sudoers file for plain users. That user or user would be able to call the script as user, but the script (which maybe only I should be able to edit), does the job or part of the job as root. So usually I pretend to be a plain user in my own system. Then I get tired, and su away. :-D - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXelFjAAKCRC1MxgcbY1H 1dqeAJ44T9sA646iOZZXucnit4Q7qIHo+QCeNwOjj/QLWHgcYD9Ch+Vzxhbk62E= =v2hv -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/1d1201a6224c340b67e1a7ee29f57504.jpg?s=120&d=mm&r=g)
Carlos, et al -- ...and then Carlos E. R. said... % % On 05/12/2019 16.17, Anton Aylward wrote: % > % > I look at it this way. If he can edit the sudoers configuration % > file to set up all those individual things then he can log in as % > root. % % Certainly. But I want to do it this way to learn how I would handle % the sudoers file for plain users. That user or user would be able to Good plan, IMHO. % call the script as user, but the script (which maybe only I should be % able to edit), does the job or part of the job as root. Yep. % % So usually I pretend to be a plain user in my own system. Then I get Perfect! % tired, and su away. :-D Ah, well ... You got close. And when you get tired you should still use sudo instead ;-) HANN :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/1d1201a6224c340b67e1a7ee29f57504.jpg?s=120&d=mm&r=g)
Anton, et al -- ...and then Anton Aylward said... % % On 05/12/2019 10:03, David T-G wrote: % > ... % > Meanwhile, putting on my Security Freak hat, I wonder if it's more secure % > to escalate for specific commands as Carlos has or to go ahead and run % > a single find as root and perhaps go where we shouldn't.... % % I look at it this way. % If he can edit the sudoers configuration file to set up all those individual % things then he can log in as root. % GAME OVER as far as security is concerned. % https://www.michaelwlucas.com/nonfiction/sudo-mastery Well, yeah. Agreed. But what if you the trusted root were setting up something for the not-so-trusted power user? Imagining a race condition, for instance, I'd rather call sudo once and have only one needle to try to catch in the process haystack. % % % Me? I'm a dinosaur, I'm in the 'wheel' group. Same :-) since SunOS 4. % https://en.wikipedia.org/wiki/Wheel_(computing) % [now why it was 'big wheel' rather than 'big cheese' is anyone's guess] % https://access.redhat.com/discussions/1392033 *grin* HANN :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/0ab7e02630bf8ea7396ee92940c8b594.jpg?s=120&d=mm&r=g)
On 2019-12-04 22:58, Carlos E. R. wrote:
find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp /data/storage_b/cer/Pictures.astro -type f \ -exec sudo chgrp cer '{}' \; \ -exec sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec sudo setfacl -m g:users:r '{}' \;
This executes sudo 3 times per each file! You can insert 'echo' before 'sudo' to see what gets executed. E.g. for only 3 files 'a', 'b' and 'c', this becomes 9 'sudo' commands: $ mkdir tmp.dir $ cd tmp.dir/ $ touch a b c $ find . -type f \ -exec echo sudo chgrp cer '{}' \; \ -exec echo sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec echo sudo setfacl -m g:users:r '{}' \; sudo chgrp cer ./b sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./b sudo setfacl -m g:users:r ./b sudo chgrp cer ./a sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./a sudo setfacl -m g:users:r ./a sudo chgrp cer ./c sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./c sudo setfacl -m g:users:r ./c My first change would be to reduce by using find's "-exec ... +" syntax instead of "-exec ... \;" syntax. The + form invokes the given command with as many arguments as would fit into the command line: $ find . -type f \ -exec echo sudo chgrp cer '{}' + \ -exec echo sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' + \ -exec echo sudo setfacl -m g:users:r '{}' + sudo chgrp cer ./b ./a ./c sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./b ./a ./c sudo setfacl -m g:users:r ./b ./a ./c Then, I'd try to reduce the number of '-exec' actions, e.g. by using a little shell snippet - with the "sh -cx" you see what is executed: $ find . -type f \ -exec sudo sh -cx 'chgrp cer "$@"; \ chmod u+r+w,g+r+w,o+r-w-x,-t "$@"; \ setfacl -m g:users:r "$@"\ ' sh '{}' + + chgrp cer ./b ./a ./c + chmod u+r+w,g+r+w,o+r-w-x,-t ./b ./a ./c + setfacl -m g:users:r ./b ./a ./c The above works for any amount of files, and also for unusual (or malicious) file names. GNU find will spawn as many such shell processes as necessary. For even more secure invocation (e.g. checking PATH), use -execdir instead of -exec. For more on this, pls. refer to the manual, e.g. here: <https://www.gnu.org/software/findutils/manual/html_node/find_html/Single-File.html> <https://www.gnu.org/software/findutils/manual/html_node/find_html/Multiple-Files.html> BTW: your chmod argument contradicts the setfacl argument, so the files will have to be adjusted the next time again. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
On 09/12/2019 22.29, Bernhard Voelker wrote:
On 2019-12-04 22:58, Carlos E. R. wrote:
find /data/storage_b/cer/Pictures /data/storage_b/cer/Pictures.tmp /data/storage_b/cer/Pictures.astro -type f \ -exec sudo chgrp cer '{}' \; \ -exec sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec sudo setfacl -m g:users:r '{}' \;
This executes sudo 3 times per each file!
Yes, it does.
You can insert 'echo' before 'sudo' to see what gets executed.
E.g. for only 3 files 'a', 'b' and 'c', this becomes 9 'sudo' commands:
Correct.
$ mkdir tmp.dir $ cd tmp.dir/ $ touch a b c $ find . -type f \ -exec echo sudo chgrp cer '{}' \; \ -exec echo sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' \; \ -exec echo sudo setfacl -m g:users:r '{}' \; sudo chgrp cer ./b sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./b sudo setfacl -m g:users:r ./b sudo chgrp cer ./a sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./a sudo setfacl -m g:users:r ./a sudo chgrp cer ./c sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./c sudo setfacl -m g:users:r ./c
My first change would be to reduce by using find's "-exec ... +" syntax instead of "-exec ... \;" syntax. The + form invokes the given command with as many arguments as would fit into the command line:
Ah? That bit I did not know, you are the first to mention it. I thought it simply executed the next command if the previous one was a success, but that is not an issue to me.
$ find . -type f \ -exec echo sudo chgrp cer '{}' + \ -exec echo sudo chmod u+r+w,g+r+w,o+r-w-x,-t '{}' + \ -exec echo sudo setfacl -m g:users:r '{}' + sudo chgrp cer ./b ./a ./c sudo chmod u+r+w,g+r+w,o+r-w-x,-t ./b ./a ./c sudo setfacl -m g:users:r ./b ./a ./c
Then, I'd try to reduce the number of '-exec' actions, e.g. by using a little shell snippet - with the "sh -cx" you see what is executed:
$ find . -type f \ -exec sudo sh -cx 'chgrp cer "$@"; \ chmod u+r+w,g+r+w,o+r-w-x,-t "$@"; \ setfacl -m g:users:r "$@"\ ' sh '{}' +
Ah, yes, I understand. There is a caveat in my case: my sudo will refuse that invocation, because I have it configured such that it has to allow explicitdly every possible invocation. If it is not listed it will refuse to allow it. I can not do "sudo anything", with root's password, and this is on purpose. I can do instead "sudo something" with my own user password, but not "sudo somethingelse". So what I have done is to use sudo on the script call itself, which I do not fully like but it works.
+ chgrp cer ./b ./a ./c + chmod u+r+w,g+r+w,o+r-w-x,-t ./b ./a ./c + setfacl -m g:users:r ./b ./a ./c
The above works for any amount of files, and also for unusual (or malicious) file names. GNU find will spawn as many such shell processes as necessary.
For even more secure invocation (e.g. checking PATH), use -execdir instead of -exec. For more on this, pls. refer to the manual, e.g. here:
<https://www.gnu.org/software/findutils/manual/html_node/find_html/Single-File.html>
<https://www.gnu.org/software/findutils/manual/html_node/find_html/Multiple-Files.html> I'll have a look.
BTW: your chmod argument contradicts the setfacl argument, so the files will have to be adjusted the next time again.
Oh, I think I noticed, the current line now is different. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
participants (8)
-
Anton Aylward
-
Bernhard Voelker
-
Carlos E. R.
-
Carlos E.R.
-
Dave Howorth
-
David Haller
-
David T-G
-
L A Walsh