Running SYSTEM as user filepro

Bill Vermillion fp at wjv.com
Thu Nov 18 14:50:18 PST 2004


It was Thu, Nov 18 15:49  when Fairlight said "Mia kusenveturilo estas
plena da angiloj. And continued:

> Confusious (J. Ryan Kelley) say:
>
> > I've recently started a project in which a SYSTEM command is
> > used to copy a file to a directory on another server to which
> > only the user filepro has access. However, this copy fails
> > because the SYSTEM call runs as my user id rather than the
> > user filepro. Is there a way for me to have this command be
> > executed by the user filepro instead?

> Sounds like Linux on a post-bash2 system.

> I'd suggest getting and using sudo for this operation. The only
> problem is that you'll be able to specify the full path to
> /bin/cp, but that means that anyone that's allowed to do this
> from inside filepro can -also- do it from outside filepro, as
> sudo doesn't care what the invoking process was. So they could
> overwrite fP binaries, data files, etc.

> There's no terribly elegant way around that. I suppose
> if I -had- to do this, I'd go with copying /bin/cp to
> /appl/fp/fpsyshelper and let sudo work on -that-, and hopefully
> keep the very knowledge of its existance a secret by making
> /appl/fp mode 0711 so that people can access the binaries but
> can't get a directory listing. I'd really be wary of granting
> straight access to the main 'cp' binary arbitrarily though.

> I don't even particularly like the above solution--it borders
> on security through obscurity.

Borders??? I'd just say it is.

> Someone else feel free to chime in--I'd love to see
> something better proposed.  I'm drawing a blank at the moment.

Perhaps rcp. It's a bit more restrictive.

Bill
-- 
Bill Vermillion - bv @ wjv . com


More information about the Filepro-list mailing list