[wellylug] aliases/postfix/bash etc
Ewen McNeill
wellylug at ewen.mcneill.gen.nz
Thu Oct 7 13:33:52 NZDT 2004
In message <1097107673.16970.149.camel at titan.fx.net.nz>, Jamie Baddeley writes:
>I have a small script that parses incoming email and creates a file in a
>spool directory. The script is called by an alias.
>[but it doesn't have the right permissions to create the file]
sudo is your friend.
Create a sudo entry which allows:
- the user that is running the script (viz, nobody)
- to run a command (eg, the second stage shell script -- allowing it to
run "mv" is possibly a bigger security hole than you want to deal with)
- as a user with the appropriate permission (eg, a user in the right
group to write to the directory)
- without supplying a password ("NOPASSWD" -- "man 5 sudoers" is your
friend too)
Alternatively -- and the more traditional way -- create a small C
program which performs the task, compile that, and setgid it to an
appropriate group arranging so that the the user which needs the
permissions can run it. (Writing such a program safely in C can be
non-trivial since, eg, you don't want to allow renaming arbitrary files.)
And as yet another option, use an interpreter that will recognise setuid
bits (eg, suid-perl) rather than a shell script (setuid/setgid shell
scripts are just a security nightmare, which is why it deliberately
doesn't work on most unixes).
Ewen
PS: You could always use kannel -- which takes sms submissions via a web
interface -- instead. This is what I'm currently using.
More information about the wellylug
mailing list