Running SYSTEM as user filepro

Fairlight fairlite at fairlite.com
Thu Nov 18 12:49:23 PST 2004


Confusious (J. Ryan Kelley) say:
> I've recently started a project in which a SYSTEM command is used to copy a
> file to a directory on another server to which only the user filepro has
> access.  However, this copy fails because the SYSTEM call runs as my user id
> rather than the user filepro.  Is there a way for me to have this command be
> executed by the user filepro instead?

Sounds like Linux on a post-bash2 system.

I'd suggest getting and using sudo for this operation.  The only problem is
that you'll be able to specify the full path to /bin/cp, but that means
that anyone that's allowed to do this from inside filepro can -also- do it
from outside filepro, as sudo doesn't care what the invoking process was.
So they could overwrite fP binaries, data files, etc.

There's no terribly elegant way around that.  I suppose if I -had- to do
this, I'd go with copying /bin/cp to /appl/fp/fpsyshelper and let sudo work
on -that-, and hopefully keep the very knowledge of its existance a secret
by making /appl/fp mode 0711 so that people can access the binaries but
can't get a directory listing.  I'd really be wary of granting straight
access to the main 'cp' binary arbitrarily though.

I don't even particularly like the above solution--it borders on security
through obscurity.  Someone else feel free to chime in--I'd love to see
something better proposed.  I'm drawing a blank at the moment.

mark->


More information about the Filepro-list mailing list