Sudoers list?

Stephen R Laniel steve at laniels.org
Tue Apr 4 20:29:38 UTC 2006


On Tue, Apr 04, 2006 at 09:34:29PM +0100, Daniel Carrera wrote:
> The script is a simplified OpenOffice.org installer. The default OOo 
> download is a tar.gz file with about 12 RPM files. This is a GUI program 
> that extracts everything and asks the user where to put it. If the user 
> chooses a location that is writable only by root (e.g. /usr/local) I 
> should run gksudo to ask for a password. So far so good. But what if the 
> user is not in the sudoers list? I need to know whether it makes sense 
> to run gksudo for this user or not.

I'm pretty sure it's a security risk to let arbitrary people
know who's in the sudoers list. For one thing, that gives
attackers an idea of whose passwords they should crack. The
fact that default permissions on /etc/sudoers are

-r--r-----  1 root root 342 2006-03-04 12:25 /etc/sudoers

suggests that it's a good idea for it to stay secret.

Really, all your script needs to do is test for the
effective gid. If that's not zero, the script should die and
say, "You need to run as root." That's what most installers
that I know about do.

-- 
Stephen R. Laniel
steve at laniels.org
Cell: +(617) 308-5571
http://laniels.org/
PGP key: http://laniels.org/slaniel.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060404/f7f3ca21/attachment.sig>


More information about the ubuntu-users mailing list