Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a developer on my Linux server who needs to have a small custom Bash script ran manually which lives in /etc/init.d/ folder:
Code:
[root@cq init.d]# ls -l myscript
-rwxrwxr-x 1 root root 1301 Feb 14 2012 myscript
I don't just want to give this or possibly more developers blind full sudo access to the entire server. My question is how can I limit the users sudo access to run this script and not have to give them more access than they need? I'm not sure if it's necessary to see what exactly the script is doing and where it's doing it so I will just leave it at this for now and can post more details if need be.
So I just want this user to be able to run this scrip as sudo but have sudo limit her ability to what she can and can't do as an elevated user.
Then she should be able to run only that script as sudo, and not be able to run any other commands as sudo.
However, you probably want to ensure she doesn't have write access to the script (otherwise she could put 'sh' in there and get a full shell!). So you want to take a copy of her script, make sure she can't alter the copy, and then allow her to run the copy as sudo.
I'm not sure if it's necessary to see what exactly the script is doing and where it's doing it so
no, as long as you're aware of what it does and how it does it. Might be stating the obvious but if a script allows the user to 'su -l' (or see 'man sudoers': NOEXEC examples), well, then that's it.
Indeed; some cmds/tools do allow (or can be 'crashed' to allow) access to a shell.
Have a good read of the sudoers page http://linux.die.net/man/5/sudoers, with special ref to the Security Notes & Preventing Shell Escapes sections at the bottom there ...
Note that the perms you've got at the moment allow anyone to run it, without sudo...
You could possibly create a dedicated group for just running that file and only put that one user in that group and use group execute perms; no need for sudo.
no, as long as you're aware of what it does and how it does it. Might be stating the obvious but if a script allows the user to 'su -l' (or see 'man sudoers': NOEXEC examples), well, then that's it.
Actually I think you do need to know what it does, as well as HOW.
One thing to restrict is parameters. The script may be subject to something like
sudo script '`/usr/bin/sh`'
Or some other shenanigans with parameters, environment, or other substitutions...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.