Re: [ESA-20010711-02] sudo elevated privileges vulnerability

[Steffen Dettmer <steffen () dett de>]

* Jonathan A. Zdziarski wrote on Mon, Jul 16, 2001 at 12:04 -0400:
> If, however, you are looking for a good way to allow someone to
> edit files using sudo, and have already rejected the idea of
> using groups or acls, consider 'elvis'. 

When you have a file writeable by root only, there's no need to
run the whole edit session as sudo root. You could create some
wrapper, which gets the file from a special non-privileged user
and puts it - after some consitency checks - at the right place.
Of course the file must not be a symlink and so on. By this, the
wrapper can do a diff -u and mail the result to root if desired.

I cannot understand why people run complex programs as root if
they need the privilege for a few system calls only!

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.