[ale] Write permission
DJ-Pfulio
DJPfulio at jdpfu.com
Mon May 16 18:20:28 EDT 2016
On 05/16/16 18:10, Jim Kinney wrote:
> Yeah. Both names and binaries change often.
>
> I typically have a script that calls sudo internally they can run. The
> script does the sudo su - userfoo and calls the supplied binary with
> supplied params to run as userfoo. Users are blocked from just running
> sudo su as they don't have root or userfoo password.
>
That is not the way I'd sudo to another account. Looses too much
traceability. The sudoers have configuration settings for this stuff -
never go through root. RunAs is the option in the sudoers.
Just because they change the binary name in the past doesn't mean they
need to going forward. You can also use sudoers with a wildcard to
specify /full/path/to/binary2016* as the allowed programs they can run.
Don't recall the exact option - it is in the sudoers manpage.
Every time I read the sudoers manpage, I learn something new.
More information about the Ale
mailing list