ip forwarding - permission denied
Anders Karlsson
anders at trudheim.com
Fri Apr 1 07:45:44 UTC 2005
On Friday 01 Apr 2005 07:45, Cameron Hutchison wrote:
> Once upon a time Anders Karlsson said...
*lol*
> > I have noticed this as well. It would appear that stdout and stderr
> > does _not_ get elevated privilegies when running a command with
> > sudo.
>
> That's because the redirection is performed by the shell from which
> you are running sudo. This shell does not have elevated permissions
> so it cannot open the output file as desired.
That would indeed be the case, and had I waited a second to take foot
out of mouth and think about it, I would indeed have realised that this
was the case. My bad.
[snip very bad idea]
>
> No tweak to sudo can fix this, since the redirection occurs before
> sudo is even run.
>
> I posted an erroneous solution earlier that was:
>
> sudo "echo 1 > /proc/sys/net/ipv4/ip_forward"
>
> If sudo were changed to allow this, it would open up a security hole
> in sudo. In Ubuntu, users get sudo privileges to do anything as root,
> but if you are using sudo to give permissions to run only certain
> programs to users, the ability to redirect as root overrides the
> necessary permission checking.
>
> eg. A user has permission to run apt-get as root, and nothing else.
> The user runs "sudo apt-get update >/etc/passwd", and ends up
> destroying the password file. Not what is wanted in a restricted root
> execution environment.
Indeed. I'll get me coat then.. ;-)
--
Anders Karlsson <anders at trudheim.com> | GnuPG Key ID - 0x4B20601A
Senior QA Engineer - McAfee WebShield | finger anders at lenin.trudheim.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050401/d514ece1/attachment.sig>
More information about the ubuntu-users
mailing list