OK, folgendes:
ich wollte gerne folgendes test-script mit einem user names hlds-ftp laufen lassen:
So sieht meine /etc/sudoers aus:
----------------------------
root ALL=(ALL) ALL
wwwrun ALL=NOPASSWD: /webint/test.wi
hlds-ftp ALL=NOPASSWD: /webint/test.wi
----------------------------
und so das script (test.wi):
----------------------------
#! /bin/sh
echo $* | lsof -i :27015
echo ""
ACID_HLDS_TESTVAR=`echo | lsof -i :27015`
echo $ACID_HLDS_TESTVAR
echo ""
ACID_HLDS_TESTVAR2=`echo | lsof -i :27015`
echo $ACID_HLDS_TESTVAR2
echo ""
----------------------------
es müsste eigentlich 4 zeilen ausgeben ... nur darf ich als user HLDS-FTP zwar lsof ausführen, aber nicht lsof -i :27015 ...... wie erlaube ich dem user per SUDO, das er LSOF uneingeschränkt (also mit verschiedenen parametern, egal wie viele es sind) benutzen kann????
sudo bzw. dessen arbeitsweise???
-
ratte
Re: sudo bzw. dessen arbeitsweise???
aus der man-page von lsof:
<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2">
MODIFIED PERSONAL DEVICE CACHE PATH
If this option is defined by the local system administrator when lsof
is built, the LSOFPERSDCPATH environment variable contents may be used
to add a component of the personal device cache file path.
...
Lsof will not write to a modified personal device cache file path if
the lsof process doesn't surrender setgid permission. (See the LSOF
PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for a list of
implementations that normally don't surrender their setgid permission.)
...
LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS
Two permissions of the lsof executable affect its ability to access
device cache files. The permissions are set by the local system admin-
istrator when lsof is installed.
The first and rarer permission is setuid-root. It comes into effect
when lsof is executed; its effective UID is then root, while its real
(i.e., that of the logged-on user) UID is not. The lsof distribution
recommends that versions for these dialects run setuid-root.
...
Lsof can't search for files with restrictive access permissions by name
unless it is installed with root set-UID permission. Otherwise it is
limited to searching for files to which its user or its set-GID group
(if any) has access permission.
</font><hr></pre></blockquote>
Loesung:
-setuid bit setzen, oder wenn das nix hilft,
-lsof deinstallieren und von sourcen selbst neukompilieren und installieren
<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2">
MODIFIED PERSONAL DEVICE CACHE PATH
If this option is defined by the local system administrator when lsof
is built, the LSOFPERSDCPATH environment variable contents may be used
to add a component of the personal device cache file path.
...
Lsof will not write to a modified personal device cache file path if
the lsof process doesn't surrender setgid permission. (See the LSOF
PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for a list of
implementations that normally don't surrender their setgid permission.)
...
LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS
Two permissions of the lsof executable affect its ability to access
device cache files. The permissions are set by the local system admin-
istrator when lsof is installed.
The first and rarer permission is setuid-root. It comes into effect
when lsof is executed; its effective UID is then root, while its real
(i.e., that of the logged-on user) UID is not. The lsof distribution
recommends that versions for these dialects run setuid-root.
...
Lsof can't search for files with restrictive access permissions by name
unless it is installed with root set-UID permission. Otherwise it is
limited to searching for files to which its user or its set-GID group
(if any) has access permission.
</font><hr></pre></blockquote>
Loesung:
-setuid bit setzen, oder wenn das nix hilft,
-lsof deinstallieren und von sourcen selbst neukompilieren und installieren