View previous topic :: View next topic |
Author |
Message |
JeroenV Guru
Joined: 16 Jul 2002 Posts: 447 Location: Amsterdam / Hamburg
|
Posted: Tue Oct 24, 2006 9:13 pm Post subject: your opinion about "sudox" (sudo for X)? |
|
|
Hi,
ages ago I wrote a liitle script called sudox, to be able to use an X app through sudo.
The reason: I have a backup operator backupop that needs to be able to restore system files using kdar and for that needs root access. The backupop logs in via ssh (with X11 forwarfing) to the server. However, I don't want to give backupop root access (by public key), to limit his actions.
(I know that potentially backupop can do anything when allowed to restore files as root, but backupop is trusted, it should just not be convenient to use that account for any sysadmin activity)
To make sudo work for kdar in this setting, I wrote this script to "forward" the X authorization. I'd like to hear your opinion about the do's and don'ts and security.
This one is executed as (which is the sudox command granted in sudoers):
Code: |
/usr/local/bin/sudox kdar
|
Code: |
# this script can be called by users that have both:
# 1) execute permissions for this script
# 2) have sudo permissions for this script
# The script first sets up an X environment for root,
# and then calls itself (recursively) via sudo, to execute
# the desired X application with root privileges
# Setting up the X environment in this context means:
# telling root where to find the .Xauthority file of the
# user executing sudo, so it can use it.
# !!! MAKE SURE EXECUTE PERMISSIONS FOR THIS FILE ARE SET SPARINGLY !!!
# !!! ALSO MAKE SURE /etc/sudoers IS CONFIGURED CORRECTLY !!!
# If $HOME/.sudox exists, the sudo command is executed after
# setting up the proper X environment.
# The $HOME/.sudox file is removed before executing the command,
# cleaning up any sensitive information
SUDOX=.sudox
SUDOX1=${HOME}/${SUDOX}
SUDOX2=/home/people/${SUDO_USER}/${SUDOX}
if [ -f "$SUDOX" ]; then
# if we arrived here we are executed via sudo
. $SUDOX2
rm -f $SUDOX2
$@
else
echo "#! /bin/bash" > $SUDOX1
echo "export DISPLAY=$DISPLAY" >> $SUDOX1
echo "export XAUTHORITY=${HOME}/.Xauthority" >> $SUDOX1
chmod 700 $SUDOX1
sudo $0 $@
fi
|
_________________ Cheers
Jeroen
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
May The Source be with you!
Last edited by JeroenV on Fri Oct 27, 2006 1:15 pm; edited 1 time in total |
|
Back to top |
|
|
nixnut Bodhisattva
Joined: 09 Apr 2004 Posts: 10974 Location: the dutch mountains
|
Posted: Fri Oct 27, 2006 12:45 pm Post subject: |
|
|
Moved from Networking & Security to Documentation, Tips & Tricks.
Perhaps most people are happy to just use gksu instead of creating their own _________________ Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
talk is cheap. supply exceeds demand |
|
Back to top |
|
|
JeroenV Guru
Joined: 16 Jul 2002 Posts: 447 Location: Amsterdam / Hamburg
|
Posted: Fri Oct 27, 2006 1:04 pm Post subject: |
|
|
Quote: |
Perhaps most people are happy to just use gksu instead of creating their own
|
The idea is to do a passwordless ssh (public key) connection to a server as the backupop user, that has limited rights, but to execute dar and kdar as root because they have to be able to access all files on the file-system...
The reason behind this is, that I don't want to authorise the backupop to do any other things as root. (I understand that this would theoretically be possible by "restoring" certain config files, but the backupop is trusted, however should not be encouraged to do other administrative tasks on the server)
Of course I'd love to hear suggestions, if the following conditions can be met:
- passwordless (pubkey)
- limited root access (only to chosen executables, like sudo)
- ability to run (only chosen) X-apps as root (2), while primarily authenticated as another user (1)
_________________ Cheers
Jeroen
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
May The Source be with you! |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
|
Back to top |
|
|
JeroenV Guru
Joined: 16 Jul 2002 Posts: 447 Location: Amsterdam / Hamburg
|
Posted: Sat Oct 28, 2006 4:52 pm Post subject: |
|
|
Thanks!
Looks good, I'll give it a try
Your (I suppose it's you ) other scripts also might come in handy, I bookmarked the page... _________________ Cheers
Jeroen
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
May The Source be with you! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|