Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
your opinion about "sudox" (sudo for X)?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
JeroenV
Guru
Guru


Joined: 16 Jul 2002
Posts: 447
Location: Amsterdam / Hamburg

PostPosted: Tue Oct 24, 2006 9:13 pm    Post subject: your opinion about "sudox" (sudo for X)? Reply with quote

Hi,

ages ago I wrote a liitle script called sudox, to be able to use an X app through sudo.
The reason: I have a backup operator backupop that needs to be able to restore system files using kdar and for that needs root access. The backupop logs in via ssh (with X11 forwarfing) to the server. However, I don't want to give backupop root access (by public key), to limit his actions.

(I know that potentially backupop can do anything when allowed to restore files as root, but backupop is trusted, it should just not be convenient to use that account for any sysadmin activity)

To make sudo work for kdar in this setting, I wrote this script to "forward" the X authorization. I'd like to hear your opinion about the do's and don'ts and security.

This one is executed as (which is the sudox command granted in sudoers):
Code:

/usr/local/bin/sudox kdar


Code:

# this script can be called by users that have both:
# 1) execute permissions for this script
# 2) have sudo permissions for this script

# The script first sets up an X environment for root,
# and then calls itself (recursively) via sudo, to execute
# the desired X application with root privileges
# Setting up the X environment in this context means:
# telling root where to find the .Xauthority file of the
# user executing sudo, so it can use it.

# !!! MAKE SURE EXECUTE PERMISSIONS FOR THIS FILE ARE SET SPARINGLY !!!
# !!! ALSO MAKE SURE /etc/sudoers IS CONFIGURED CORRECTLY !!!

# If $HOME/.sudox exists, the sudo command is executed after
# setting up the proper X environment.
# The $HOME/.sudox file is removed before executing the command,
# cleaning up any sensitive information

SUDOX=.sudox
SUDOX1=${HOME}/${SUDOX}
SUDOX2=/home/people/${SUDO_USER}/${SUDOX}

if [ -f "$SUDOX" ]; then
        # if we arrived here we are executed via sudo
        . $SUDOX2
        rm -f $SUDOX2
        $@
else
        echo "#! /bin/bash" > $SUDOX1
        echo "export DISPLAY=$DISPLAY" >> $SUDOX1
        echo "export XAUTHORITY=${HOME}/.Xauthority" >> $SUDOX1
        chmod 700 $SUDOX1
        sudo $0 $@
fi

_________________
Cheers 8)
Jeroen
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
May The Source be with you!


Last edited by JeroenV on Fri Oct 27, 2006 1:15 pm; edited 1 time in total
Back to top
View user's profile Send private message
nixnut
Administrator
Administrator


Joined: 09 Apr 2004
Posts: 10973
Location: the dutch mountains

PostPosted: Fri Oct 27, 2006 12:45 pm    Post subject: Reply with quote

Moved from Networking & Security to Documentation, Tips & Tricks.

Perhaps most people are happy to just use gksu instead of creating their own :wink:
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered

talk is cheap. supply exceeds demand
Back to top
View user's profile Send private message
JeroenV
Guru
Guru


Joined: 16 Jul 2002
Posts: 447
Location: Amsterdam / Hamburg

PostPosted: Fri Oct 27, 2006 1:04 pm    Post subject: Reply with quote

Quote:

Perhaps most people are happy to just use gksu instead of creating their own


The idea is to do a passwordless ssh (public key) connection to a server as the backupop user, that has limited rights, but to execute dar and kdar as root because they have to be able to access all files on the file-system...

The reason behind this is, that I don't want to authorise the backupop to do any other things as root. (I understand that this would theoretically be possible by "restoring" certain config files, but the backupop is trusted, however should not be encouraged to do other administrative tasks on the server)

Of course I'd love to hear suggestions, if the following conditions can be met:

  1. passwordless (pubkey)
  2. limited root access (only to chosen executables, like sudo)
  3. ability to run (only chosen) X-apps as root (2), while primarily authenticated as another user (1)

_________________
Cheers 8)
Jeroen
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
May The Source be with you!
Back to top
View user's profile Send private message
mv
Advocate
Advocate


Joined: 20 Apr 2005
Posts: 3784

PostPosted: Sat Oct 28, 2006 3:44 pm    Post subject: Reply with quote

A script with the same name and somewhat more functionality (allowing e.g. execution as another [non-root] user or with untrusted permissions) can be found at http://www.mathematik.uni-wuerzburg.de/~vaeth/download/index.html.
Back to top
View user's profile Send private message
JeroenV
Guru
Guru


Joined: 16 Jul 2002
Posts: 447
Location: Amsterdam / Hamburg

PostPosted: Sat Oct 28, 2006 4:52 pm    Post subject: Reply with quote

Thanks!

Looks good, I'll give it a try :)
Your (I suppose it's you :wink: ) other scripts also might come in handy, I bookmarked the page...
_________________
Cheers 8)
Jeroen
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
May The Source be with you!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum