Date: Mon, 10 Dec 2001 18:03:14 +0200 From: Sheldon Hearn <sheldonh@starjuice.net> To: "Ronan Lucio" <ronan@melim.com.br> Cc: security@freebsd.org Subject: Re: Accessing as root Message-ID: <60409.1008000194@axl.seasidesoftware.co.za> In-Reply-To: Your message of "Mon, 10 Dec 2001 18:01:20 %2B0200." <60355.1008000080@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 10 Dec 2001 18:01:20 +0200, Sheldon Hearn wrote: > > I need to make some scripts to change the password and another > > things like that need root permissions, but: > > > > How can I do it without opening a security hole in the server? > > What is the best way to do it? > > 1) Limit exposure to just those commands that need privelege, by passing > your command as arguments to the su(1) command. This is stupid advice, sorry. You need to make your script setuid root (see chmod(1)). If the script is big, or does complex input handling, consider breaking out the part that needs privelege into its own smaller script, called by a wrapper that does input sanity checking. Ultimately, you want to limit the privelege to as little work as possible. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?60409.1008000194>