[opensuse] Need help
Guys,
I need to write a script that gives one use access to stop and start
apache, I don't want to give them sudo. A friend gave me this c
script.....but it not working is there a way to do this in bash? Also
I know with bash I can do sh -x to debug, how to you debug in c?
/* program: rootme
purpose: C program wrapper that calls a defined script to run as root
*/
#include
On 6/3/2009 at 7:05 PM, Chuck Payne
wrote: Guys, I need to write a script that gives one use access to stop and start apache, I don't want to give them sudo. A friend gave me this c script.....but it not working is there a way to do this in bash? Also I know with bash I can do sh -x to debug, how to you debug in c?
/* program: rootme
purpose: C program wrapper that calls a defined script to run as root */ #include
#include #include #define REAL_SH "/usr/local/script/scr.sh" main(argc, argv) char **argv; { setuid(0); execv(REAL_SH, argv); }
Urgh, this program would require to be set setuid to work properly. Then you can as well give sudo to the user. For your usecase, sudo might actually be the good way to go. you can limit sudo to: - Grant a specific command, if needed even with a set of arguments to - a specific user / group on - a specific computer. You could define this specific command for that group not to require a password to be typed, and as such your root password stays secure. Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
In <4A26CBE0.23F4.0029.1@TMF-Group.com>, Dominique Leuenberger wrote:
On 6/3/2009 at 7:05 PM, Chuck Payne
wrote: I need to write a script that gives one use access to stop and start apache, I don't want to give them sudo.
A friend gave me this c script.....but it not working is there a way to do this in bash?
No, there's no equivalent to the C language setuid() call in bash.
Also I know with bash I can do sh -x to debug, how to you debug in c?
Compile with -g3 -ggdb flags and then use gdb.
#include
#include #include #define REAL_SH "/usr/local/script/scr.sh" main(argc, argv) char **argv; { setuid(0); execv(REAL_SH, argv); } this program would require to be set setuid to work properly.
That's: chmod +s $program if you want to get it to work.
Then you can as well give sudo to the user.
Well, not really. As long as the script is written with security in mind, this C program is not going to be a problem.
For your usecase, sudo might actually be the good way to go.
I agree. You don't want to give the user access to all commands, just a few. So, you should add something like: APACHE_CTL = /sbin/service apache2 * APACHE_ADM = username APACHE_ADM ALL=NOPASSWD: APACHE_CTL to your /etc/sudoers, by using the visudo command. The first line creates a command alias "APACHE_CTL" (Apache control) that is equivalent to the "/sbin/service" command with the first argument of "apache2" and anything as the second argument. I don't have Apache installed here, you might have to change that first argument to match the name of the file under /etc/init.d that controls Apache. If he needs access to a few more commands, you can append them here. The second line create a user alias "APACHE_ADM" (Apache administrators) that is equivalent to just one user "username". You could also add yourself or a group, as needed. The last line says that APACHE_ADM on any host can run APACHE_CTL as root without a password. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
On Wed, Jun 3, 2009 at 2:13 PM, Boyd Stephen Smith Jr.
In <4A26CBE0.23F4.0029.1@TMF-Group.com>, Dominique Leuenberger wrote:
On 6/3/2009 at 7:05 PM, Chuck Payne
wrote: I need to write a script that gives one use access to stop and start apache, I don't want to give them sudo.
A friend gave me this c script.....but it not working is there a way to do this in bash?
No, there's no equivalent to the C language setuid() call in bash.
Also I know with bash I can do sh -x to debug, how to you debug in c?
Compile with -g3 -ggdb flags and then use gdb.
#include
#include #include #define REAL_SH "/usr/local/script/scr.sh" main(argc, argv) char **argv; { setuid(0); execv(REAL_SH, argv); } this program would require to be set setuid to work properly.
That's: chmod +s $program if you want to get it to work.
Then you can as well give sudo to the user.
Well, not really. As long as the script is written with security in mind, this C program is not going to be a problem.
For your usecase, sudo might actually be the good way to go.
I agree. You don't want to give the user access to all commands, just a few. So, you should add something like: APACHE_CTL = /sbin/service apache2 * APACHE_ADM = username
APACHE_ADM ALL=NOPASSWD: APACHE_CTL to your /etc/sudoers, by using the visudo command.
The first line creates a command alias "APACHE_CTL" (Apache control) that is equivalent to the "/sbin/service" command with the first argument of "apache2" and anything as the second argument. I don't have Apache installed here, you might have to change that first argument to match the name of the file under /etc/init.d that controls Apache. If he needs access to a few more commands, you can append them here.
The second line create a user alias "APACHE_ADM" (Apache administrators) that is equivalent to just one user "username". You could also add yourself or a group, as needed.
The last line says that APACHE_ADM on any host can run APACHE_CTL as root without a password. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Well, I am getting error when I add this to visudo ################################### # Cmnd_Alias section # ################################### APACHE_CTL=/usr/local/bin/apache.sh APACHE_ADM=vgnadmin ################################### # User Section # ################################### APACHE_ADM ALL=NOPASSWD:APACHE_CTL root ALL=(ALL) ALL %sysadmin ALL=(ALL) ALL The error is this... isudo Warning: undeclared User_Alias `APACHE_CTL' referenced near line 7 Warning: undeclared User_Alias `APACHE_ADM' referenced near line 8 Warning: undeclared User_Alias `APACHE_ADM' referenced near line 12 Warning: undeclared Cmnd_Alias `APACHE_CTL' referenced near line 12 Warning: undeclared User_Alias `APACHE_CTL' referenced near line 7
sudoers file: syntax error, line 6 <<< Warning: undeclared User_Alias `APACHE_ADM' referenced near line 8 sudoers file: syntax error, line 7 <<< Warning: undeclared User_Alias `APACHE_ADM' referenced near line 12 Warning: undeclared Cmnd_Alias `APACHE_CTL' referenced near line 12 What now? e Warning: undeclared User_Alias `APACHE_CTL' referenced near line 7 sudoers file: syntax error, line 6 <<< Warning: undeclared User_Alias `APACHE_ADM' referenced near line 8 sudoers file: syntax error, line 7 <<< Warning: undeclared User_Alias `APACHE_ADM' referenced near line 12 Warning: undeclared Cmnd_Alias `APACHE_CTL' referenced near line 12
Any clues what I am doing wrong? -- ---------------------------------------- When a place gets crowded enough to require ID's, social collapse is not far away. It is time to go elsewhere. The best thing about space travel is that it made it possible to go elsewhere. -- Robert Heinlein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
In <630b55a80906031143k62e7f6bv88ed01c0877c1181@mail.gmail.com>, Chuck Payne wrote:
On Wed, Jun 3, 2009 at 2:13 PM, Boyd Stephen Smith Jr.
wrote: In <4A26CBE0.23F4.0029.1@TMF-Group.com>, Dominique Leuenberger wrote:
I need to write a script that gives one use access to stop and start apache, I don't want to give them sudo. For your usecase, sudo might actually be
On 6/3/2009 at 7:05 PM, Chuck Payne
wrote: the good way to go. I agree. You don't want to give the user access to all commands, just a few. So, you should add something like: APACHE_CTL = /sbin/service apache2 * APACHE_ADM = username APACHE_ADM ALL=NOPASSWD: APACHE_CTL to your /etc/sudoers, by using the visudo command. Well, I am getting error when I add this to visudo
################################### # Cmnd_Alias section # ################################### APACHE_CTL=/usr/local/bin/apache.sh APACHE_ADM=vgnadmin ################################### # User Section # ################################### APACHE_ADM ALL=NOPASSWD:APACHE_CTL root ALL=(ALL) ALL %sysadmin ALL=(ALL) ALL
The error is this...
visudo Warning: undeclared User_Alias `APACHE_CTL' referenced near line 7 Warning: undeclared User_Alias `APACHE_ADM' referenced near line 8 Warning: undeclared User_Alias `APACHE_ADM' referenced near line 12 Warning: undeclared Cmnd_Alias `APACHE_CTL' referenced near line 12
Any clues what I am doing wrong?
Heh, taking my unvarnished advice. :P I'm glad you used visudo, since I messed up the syntax. I think the command alias line actually needs to be: Cmnd_Alias APACHE_CTL = /usr/local/bin/apache.sh and the user alias actually needs to be: User_Alias APACHE_ADM = vgnadmin -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
participants (3)
-
Boyd Stephen Smith Jr.
-
Chuck Payne
-
Dominique Leuenberger