« How to FAIL a Security Audit | Main | Are You Compliant, in Control, or Neither? »

November 27, 2012


how is this different from running sudo /home/michael/test.ksh?
$ sudo /home/rroberts/test.ksh
---------- 1 root system 282 Nov 28 16:32 yyy
in your example you grant the privs as root, run the command as michael then deny the privs as root. how is this different from adding a line to sudo then taking it away?

Not different at all I suspect. I was being lazy. I just wanted to show the principle of assigning a privelidge to a script. PV_ROOT is the one that is sure to work. What I should have done is run the command tracepriv (after promoting the user script to PV_ROOT)
Use the following privilidges rather than PV_ROOT and the test.ksh will also work.

michael@x054:[/home/michael]tracepriv -e ./test.ksh
---------- 1 michael staff 6534 Nov 29 16:10 yyy

6946928: Used privileges for ./test.ksh:

And thanks for asking! (layout of output modified to better fit screen)

I made a small typo in my answer above:
Elevate script should be "evelate shell" (hint: using
# setsecattr -p iprivs=PV_ROOT pid)

The comments to this entry are closed.