System command on FreeBSD...

Bill Campbell bill at celestial.com
Wed Dec 29 11:54:47 PST 2004 

On Wed, Dec 29, 2004, Bill Vermillion wrote:
>On Wed, Dec 29 12:16  Chad McWilliams said 'Who you talkin' to? You talkin'
...
>
>Now that I see what you want to do, I can make a suggestion.
>You'll have to change the way you test for the approved user
>however.
>
>Since 'id' will return the id and group memberships [of which there
>can be many in the BSD world] I think the only thing you can
>really depened upon to find the calling user is to use
>the 'who am i' command.  This will return the ID of the actual
>login.  Do NOT confuse this with the 'whoami' command which will
>return the EUID.
>
>There aren't many things that are that different from the Unix
>systems and the BSD systems - but his is certainly one of them.
>
>I also have problem with the way part of the 'su' is implemented
>as using multiple 'su's can give some permissions they are not
>supposed to have.  I got a lively discussion started and many
>didn't see the problem, but then in the end those who run secure
>system think the su stack should be limited to one - and that would
>fix any potential holes.    I had been using the FreeBSD for quite
>awhile when I discovered that one, and to my way of thinking it
>is an anomoly.
>
>But I think parsing the output of 'who am i' will do what you need
>it to do.

This may well be a place where ``sudo'' is appropriate.  It permits users
to run specific commands as other users (not necessarily root), and can be
tailored to your needs.  The sudo log file would show the id that attempted
to use it which would allow one to configure the sudoers file
appropriately.

FilePro may be running external commands as the filepro user or as the
original user depending on how they handle the internal fork, exec logic.
This has always been one of the things that makes life with filepro
``interesting''.  It was what forced me to learn how perl's ``taint''
checking worked because filepro print jobs which go through my ``lp'' front
end were triggering taintedness checks.

Bill
--
INTERNET:   bill at Celestial.COM  Bill Campbell; Celestial Software LLC
UUCP:               camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

``There is nothing as stupid as an educated man if you get him off the
thing he was educated in.''
    Will Rogers

More information about the Filepro-list mailing list