Re: How to use gksu to safely run a non-open-source application?

Jack Dodds <brmdamon aci on ca> writes:

> Problem is, the user has to enter realplay's password every time gksu
> is run.  This is a nuisance and also would compromise realplay's
> password if it had to be given to many users.
> I have tried to run gksu from a script in which I send realplay's
> password from a file to sysin, but gksu doesn't like that - I get a
> message something like "Must be run from a terminal".  If I could run
> gksu from a script like this I could eliminate entry of the password.
> I could also create a Mozilla "helper application" to play specific
> MIME types using RealPlayer running under its separate user id.
> The obvious solution is to run the RealPlayer binary as user realplay
> using the suid permission  - but GTK+ does not honour the suid bit
> because that is deemed to be a security risk.  See
> .

I think you're looking at a prime example for using 'sudo'.

Add the following to your /etc/sudoers:

Cmd_Alias            REALPLAY = /usr/bin/realplay

ALL                  ALL = NOPASSWD: REALPLAY

Executing 'sudo -u realplay /usr/bin/realplay' will now execute
Realplayer as user realplay, just as if it had been setuid realplay.

The nice thing is that some tweaking of the sudoers file could set
restrictions even tighter. For example, if you want to restrict
execution to members of the realplay group, your /etc/sudoers would
look like this:

Group_Alias             ALLOW_REALPLAY = %realplay

Cmd_Alias               REALPLAY = /usr/bin/realplay


The manpage for /etc/sudoers is a bit dry, but read it, because it
sounds just like what you need.

Make sure the realplay binary is executable owner-only (chmod 700),
otherwise your users could just launch it from a terminal, having it
run with their full permissions again.


"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]