[TriLUG] Help with setuid C wrapper script

Ron Kelley rkelleyrtp at gmail.com
Wed Oct 13 08:31:34 EDT 2010


Thanks for the syntax Jonathan.  However, this is what happens when I try to do the command:

[root at test-svr1 ~]# ssh rmaint at 1.2.3.4 "tail -100 /var/log/messages"
tail: cannot open `/var/log/messages' for reading: Permission denied


Here is what is in /etc/sudoers:
--------------------------------
rmaint ALL=(root) NOPASSWD: /usr/bin/tail -100 /var/log/messages, /usr/bin/tail -50 /var/log/secure


Also, /var/log/messages and /var/log/secure both have permission mod of 600 (as in, rw--------).


I have tried various syntax lines in /etc/sudoers but always get permission denied.  In fact, this is what I tried prior to sending the original email to the alias.  Thus, I had to fall back to a suid C program.  Have you tried the above statements in your sudoers file?


BTW - I have the suid C program working fine.  But, as we all know, keeping a single suid utility updated and pushed out to all servers is a real PITA.



Thanks again,

-Ron





On Oct 12, 2010, at 8:23 PM, Jonathan Woodbury wrote:

> Ron,
> 
> Based on what I can see in your first few emails on this, I believe this
> will give you precisely what you asked for:
> 
> someuser ALL=(root) NOPASSWD: /usr/bin/tail -100 /var/log/messages,
> /usr/bin/tail -50 /var/log/secure
> 
> This will allow someuser to execute tail with those exact arguments as root
> without prompting the user for a password.  Some other folks have nicely
> pointed out that you could use syntax described in the Wildcards section of
> the sudoers man page to loosen the restrictions on what arguments could be
> passed to tail.  But it didn't look like you were heading in that direction
> from what I saw in your source code example.  Explicit and simple has its
> virtue.
> 
> I hope this helps,
> Jonathan
> -- 
> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	: http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions




More information about the TriLUG mailing list