On Sun, Aug 19, 2007 at 09:53:20AM -0800, Ken Irving wrote: > On Sun, Aug 19, 2007 at 07:56:07PM +0300, Andrei Popescu wrote: > > On Sun, Aug 19, 2007 at 07:09:29AM -0800, Ken Irving wrote: > > > > > > > $ sudo sh -c "cd /home ; du -s * ??? sort -rn > USAGE" > > > > > > > > > > So, you can do it in on command, sudo is lauching a shell, which is > > > > > responsible of redirections, pipes, chaining commands... > > > > > > > > Please correct me if I'm wrong, but this defeats the purpose of > > > > restricting sudo to a certain set of commands. > > > > > > The command here is 'sh', so this could be restricted as usual. > > > > Of course you could, but if you're able to run sh what prevents you from > > using it to run anything else? > > I'm probably misunderstanding something (not sure what the OP's question > was), but my point was just that you can prevent someone from running > sh in the first place -- i.e., they wouldn't be able to do the above > operation.
Probably I misunderstood what you meant. The OP was asking for a method to use sudo to allow only certain operations. > Any command/program that is allowed to be run under sudo could be misused > if it allows the user to run a shell from within that program. Yep > I don't have much experience with using sudo to *carefully* grant > privileges to untrusted users, but I would think one could put something > like the above in a script which the user is allowed to run (as I think > someone else may have suggested). Yes, that should work, and seems to me like the best way to achieve the desired result. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein)
signature.asc
Description: Digital signature
