[fpc-pascal] shell script with root rights and automatic password
Rainer Stratmann
rainerstratmann at t-online.de
Mon Dec 7 18:26:19 CET 2015
On Monday 07 December 2015 08:38:28 you wrote:
> Rainer Stratmann wrote:
> > What works is an entry in the sudoers file.
> > And then the program/script you can call with root rights.
>
> I hope this is for something that will only ever run on your own
> machine, because unless you take a lot of precautions (hardcoding a set
> of *absolute* paths to scripts that may be executed this way like
> Michael mentioned can help, but only if you can guarantee none of these
> locations can be overwritten, symlinked to somewhere else or substituted
> through mounting), this is a security disaster waiting to happen.
I am aware of some security stuff. And I asked myself often to do more
security. For example disabling ssh on the machine. And some more.
But in some cases I need root acess. The location is secret and is deleted
after the call. That's all I can do so far.
Only this application runs on the machine.
With 'setuid binary' I am not familiar.
> A lot of security holes in various Unix-like OSes happen through abuse
> of setuid helpers or helper programs executed as root. If you really
> need to do something as root, having a small setuid binary that can only
> do this one thing is much safer than invoking a general purpose shell
> that can do anything. You can find a very basic overview of some issues
> at
> https://developer.apple.com/library/mac/documentation/OpenSource/Conceptual
> /ShellScripting/ShellScriptSecurity/ShellScriptSecurity.html .
>
> If everything mentioned there isn't completely obvious to you, please do
> not distribute any program that invokes shell scripts as root before you
> familiarise yourself very thoroughly with security at the Unix/shell
> level. And even if it is, ask yourself whether there is no safer way to
> achieve the same results.
>
>
> Jonas
> _______________________________________________
> fpc-pascal maillist - fpc-pascal at lists.freepascal.org
> http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
More information about the fpc-pascal
mailing list