Re: forcing a shell script to run a specific user?

[Charles Menzes <charles@lunarmedia.net>]

thanks, sudo was my other option, but i am not certain whether or not it
will fit my needs. currently, every time i have seen sudo implemented, i
am prompted for a password.
i am setting up a model for lunar that will allow a main machine to update
configuration files on a remote server, and then restart a service using
ssh. the config files would be updated through rsync using ssh as
transport, and then i am hoping for example, to be able to restart, say
dns, by issueing:

	ssh -l cmenzes ns2.lunarmedia.net "sudo /usr/bin/ndc reload"

now, if sudo will prompt me for my password, well, i am back to square
one.


On Sat, 5 Aug 2000, Steven Pritchard wrote:

> Charles Menzes said:
> > is there any way to force a shell script to run as a specific user despite
> > who actually initiates it?
> 
> No.  Setuid shell scripts are inherently insecure, and no modern Unix
> allows them.  You'll either have to write a wrapper, or use something
> like sudo.
> 
> A wrapper could be something as simple as the following:
> 
>     #include <stdio.h>
>     #include <stdlib.h>
>     #include <unistd.h>
> 
>     /* Make sure this is an absolute path. */
>     #define SCRIPT "/path/to/script"
> 
>     int main(void)
>     {
> 	char *safe_envp[]={"SHELL=/bin/sh", "PATH=/bin:/usr/bin", NULL};
> 
>         if (execle(SCRIPT, SCRIPT, (char *)NULL, safe_envp)==-1)
> 	{
> 	    perror("execle("SCRIPT") failed");
> 	    exit(EXIT_FAILURE);
> 	}
> 
> 	return 1;
>     }
> 
> Still, keep in mind that this is generally not considered a very safe
> thing to do, so be careful...
> 
> Steve
> 

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.