Re: Sudo

[Arvind <lists@duh-uh.com>]

[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]

Hi,

>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
> But the problem is , say user1 wants to install abc.rpm and as
> he is restricted , he/she cannot install. But there is one way.
> If the user changes the name of the rpm, say "cp abc.rpm
> xyz.rpm" and then user1 can easily install xyz.rpm . And if you
> login as root and query for the package abc.rpm, it says
> abc.rpm is installed , even though the user has installed it
> with a different name. 

Here's one way to do it, using an external script, though:

1. Create a file (say reject.rpms) with a newline delimited list
   of rpm regexs to reject. This is a list of the real rpm names.
   Ex:

    $ cat reject.rpms
    abc.*
    pqr.*

2. Then, write a small shell script like the one attatched as a
   wrapper to rpm (say userrpm).

3. Give root permission to this script in /etc/sudoers, without
   password.

   user  ALL=(root) NOPASSWD:/usr/local/bin/userrpm

Your users will have to use this as:

$ sudo userrpm -Uvh abc-1.0.0.rpm

Well, as has been already been mentioned many times in this
thread, this is extremely insecure. It's not very difficult to
get past even this check. I wouldn't recommend using this.

Arvind
-- 
   .~.
   /V\
  // \\
 /(   )\
  ^`~'^




[-- Attachment #2: userrpm --]
[-- Type: text/plain, Size: 520 bytes --]

#!/bin/ksh

# Get a list of rpms from the command line. That is, ignore all rpm
# options and so on.
rpmlist="`echo $* | tr -s ' ' '\n' | grep '\.rpm$'`"

for each in $rpmlist
do
    # Get the actual rpm name.
    rpmname="`rpm -qp "$each" --qf '%{NAME}'`"
    # Check against given list of rpms to reject.
    retval="`echo $rpmname | grep -v -q -f reject.rpms; echo $?`"
    if [ "$retval" != 0 ]
    then
        echo "You don't have permission to install $each ($rpmname)."
        exit 1
    fi
done

exec rpm "$@"