From owner-freebsd-security  Mon Dec 10  7:59:47 2001
Delivered-To: freebsd-security@freebsd.org
Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201])
	by hub.freebsd.org (Postfix) with ESMTP id 2F81E37B417
	for <security@freebsd.org>; Mon, 10 Dec 2001 07:59:42 -0800 (PST)
Received: from sheldonh (helo=axl.seasidesoftware.co.za)
	by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1)
	id 16DSro-000FhU-00; Mon, 10 Dec 2001 18:01:20 +0200
From: Sheldon Hearn <sheldonh@starjuice.net>
To: "Ronan Lucio" <ronan@melim.com.br>
Cc: security@freebsd.org
Subject: Re: Accessing as root 
In-reply-to: Your message of "Mon, 10 Dec 2001 12:02:40 -0200."
             <035301c18183$54d13460$2aa8a8c0@melim.com.br> 
Date: Mon, 10 Dec 2001 18:01:20 +0200
Message-ID: <60355.1008000080@axl.seasidesoftware.co.za>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



On Mon, 10 Dec 2001 12:02:40 -0200, "Ronan Lucio" wrote:

> I need to make some scripts to change the password and another
> things like that need root permissions, but:
> 
> How can I do it without opening a security hole in the server?
> What is the best way to do it?

1) Limit exposure to just those commands that need privelege, by passing
   your command as arguments to the su(1) command.

2) Be _very_ careful about the input you accept and then pass on to these
   priveleged commands.

Ciao,
Sheldon.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message