From mboxrd@z Thu Jan  1 00:00:00 1970
From: Arvind <lists@duh-uh.com>
Subject: Re: Sudo
Date: Sun, 22 Jun 2003 09:40:10 +0530
Sender: linux-admin-owner@vger.kernel.org
Message-ID: <20030622041010.GA24271@localhost>
References: <20030619210801.298A0445D@sitemail.everyone.net>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="DocE+STaALJfprDB"
Return-path: <linux-admin-owner@vger.kernel.org>
Content-Disposition: inline
In-Reply-To: <20030619210801.298A0445D@sitemail.everyone.net>
List-Id: <linux-admin.vger.kernel.org>
To: linux-admin@vger.kernel.org


--DocE+STaALJfprDB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi,

>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
> But the problem is , say user1 wants to install abc.rpm and as
> he is restricted , he/she cannot install. But there is one way.
> If the user changes the name of the rpm, say "cp abc.rpm
> xyz.rpm" and then user1 can easily install xyz.rpm . And if you
> login as root and query for the package abc.rpm, it says
> abc.rpm is installed , even though the user has installed it
> with a different name. 

Here's one way to do it, using an external script, though:

1. Create a file (say reject.rpms) with a newline delimited list
   of rpm regexs to reject. This is a list of the real rpm names.
   Ex:

    $ cat reject.rpms
    abc.*
    pqr.*

2. Then, write a small shell script like the one attatched as a
   wrapper to rpm (say userrpm).

3. Give root permission to this script in /etc/sudoers, without
   password.

   user  ALL=(root) NOPASSWD:/usr/local/bin/userrpm

Your users will have to use this as:

$ sudo userrpm -Uvh abc-1.0.0.rpm

Well, as has been already been mentioned many times in this
thread, this is extremely insecure. It's not very difficult to
get past even this check. I wouldn't recommend using this.

Arvind
-- 
   .~.
   /V\
  // \\
 /(   )\
  ^`~'^




--DocE+STaALJfprDB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=userrpm

#!/bin/ksh

# Get a list of rpms from the command line. That is, ignore all rpm
# options and so on.
rpmlist="`echo $* | tr -s ' ' '\n' | grep '\.rpm$'`"

for each in $rpmlist
do
    # Get the actual rpm name.
    rpmname="`rpm -qp "$each" --qf '%{NAME}'`"
    # Check against given list of rpms to reject.
    retval="`echo $rpmname | grep -v -q -f reject.rpms; echo $?`"
    if [ "$retval" != 0 ]
    then
        echo "You don't have permission to install $each ($rpmname)."
        exit 1
    fi
done

exec rpm "$@"

--DocE+STaALJfprDB--