[wellylug] aliases/postfix/bash etc
Jamie Baddeley
wellylug at vpc.co.nz
Thu Oct 7 13:58:05 NZDT 2004
On Thu, 2004-10-07 at 13:33, Ewen McNeill wrote:
thanks for replies guys.
> In message <1097107673.16970.149.camel at titan.fx.net.nz>, Jamie Baddeley writes:
> >I have a small script that parses incoming email and creates a file in a
> >spool directory. The script is called by an alias.
> >[but it doesn't have the right permissions to create the file]
>
> sudo is your friend.
>
> Create a sudo entry which allows:
> - the user that is running the script (viz, nobody)
> - to run a command (eg, the second stage shell script -- allowing it to
> run "mv" is possibly a bigger security hole than you want to deal with)
> - as a user with the appropriate permission (eg, a user in the right
> group to write to the directory)
> - without supplying a password ("NOPASSWD" -- "man 5 sudoers" is your
> friend too)
I'll try this. This is new and different.
>
> Alternatively -- and the more traditional way -- create a small C
> program which performs the task, compile that, and setgid it to an
> appropriate group arranging so that the the user which needs the
> permissions can run it. (Writing such a program safely in C can be
> non-trivial since, eg, you don't want to allow renaming arbitrary files.)
>
I've done this approach before - thanks for reminding me.
> And as yet another option, use an interpreter that will recognise setuid
> bits (eg, suid-perl) rather than a shell script (setuid/setgid shell
> scripts are just a security nightmare, which is why it deliberately
> doesn't work on most unixes).
>
Ahh, like perl.
> Ewen
>
> PS: You could always use kannel -- which takes sms submissions via a web
> interface -- instead. This is what I'm currently using.
--
More information about the wellylug
mailing list