On Sat, Jun 04, 2005 at 05:58:18PM -0700, Russ Allbery wrote: > Roberto C Sanchez <[EMAIL PROTECTED]> writes: > > > Today Kevin Mark poitned out[0] that I should turn a brief outline I > > gave[1] on how to customize Debian pacakges into a full blown HOWTO. I > > have done that and the result [2] is now available to the public. I > > would like to announce it in the hopes that new and experienced Debian > > developers and users will review it and provide some feedback. After a > > week or so, I will probably submit it to some Debian-related wikis and > > websites. But, I first want to make sure that it is in reasonable shape > > before I *really* present it to the world :-) > > > [2] http://familiasanchez.net/~sanchezr/?page=debcustomize > > Eep, please don't tell people to give themselves full privileges with sudo > unless they know what they're doing. The sudo configuration here is just > to run pbuilder, right? If so, just recommend something like: > > bob ALL = NOPASSWD: /usr/sbin/pbuilder > bob ALL = NOPASSWD: /usr/lib/pbuilder/pbuilder-satisfydepends > > This is sufficient in my experience.
It won't provide you with any additional security though, so it will only give a false sense of security. If you can run pbuilder with any argument, you can specify an arbitrary configfile, and that way have any arbitrary command run as root. Even if it's only in the chroot, which I didn't check right now, as root in a chroot you can break out and be root on the host system. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
