- 论坛徽章:
- 0
|
原帖由 独孤九贱 于 2006-2-16 11:47 发表
想请问一下chinaux,如果程序被限制进来后,有什么办法不影响程序本身对原有根文件系统的库、文件等资源的访问呢?
比如,我配置了网卡,需要一个程序去修改/etc/sysconfig/network-scripts/XXX等诸如此类的……
It can be done via sudo, and the binary is no need to be copied to /home/xxx/bin. only "sudo" needs to be copied.
e.g., I'd like the restricted user "xxx" can run "lsof" as root, and run "dmesg" as the user of "chinaux":
1. # cp -a /usr/sbin/sudo /x/home/bin
2. # visudo
and add the followiong 2 lines:
xxx ALL=/usr/sbin/lsof
xxx ALL=(chinaux) /bin/dmesg
then, "xxx" can run "sudo /usr/sbin/lsof" & "sudo -u chinaux /bin/dmesg" (don't configure "vi" in sudo)
as for file modification, if the file is owned by "xxx", then copy "/bin/rvi" (restricted vi, it comes from vim-minimal, see vi for more info) to /home/xxx/bin, "xxx" will be able to run "rvi /anypath/a_file_owned_by_xxx"; if the owned by the other, you might have to do more:
1. mkdir /home/xxx/tmp; touch /xxx /home/xxx/tmp/me; chown -R xxx /home/xxx/tmp
2. configure the 2 lines on sudoers:
xxx ALL=(xxx) /bin/cp /etc/sysconfig/network-scripts/ifcfg-eth0 /xxx /home/xxx/tmp
xxx ALL=/bin/cp /xxx /home/xxx/tmp/ifcfg-eth0 /etc/sysconfig/network-scripts
and then, "xxx" runs the following to modify /etc/sysconfig/network-scripts/ifcfg-eth0:
$ sudo -u xxx /bin/cp /etc/sysconfig/network-scripts/ifcfg-eth0 /xxx /home/xxx/tmp
$ rvi tmp/ifcfg-eth0
$ sudo /bin/cp /xxx /home/xxx/tmp/ifcfg-eth0 /etc/sysconfig/network-scripts
to avoid repeatedly typing the password, put "NOPASSWD:" just in the front of the command, e.g.:
xxx ALL=(chinaux) NOPASSWD: /bin/dmesg
[ 本帖最后由 chinaux 于 2006-2-16 14:48 编辑 ] |
|