[mythtv-users] Preemptive Kernel Patch

Tue Feb 18 20:50:25 UTC 2003

Why not use sudo to handle this?  It would be the appropriate way to do
it, and mimizes security risk:

# useradd mythvuser
	((no password))

Change /etc/sudoers and add the following line:

mythtvuser	ALL = NOPASSWD: /usr/local/bin/mythstart

(where /usr/local/bin/mythstart is your startup script, owned by root,
and chmod u+rx).

I use a similar tactic to allow VMWare to access /dev/dsp through the
artsdsp wrapper.

Cheers,
Aaron
-----Original Message-----
From: mythtv-users-bounces at snowman.net
[mailto:mythtv-users-bounces at snowman.net] On Behalf Of Nathan Poznick
Sent: Tuesday, February 18, 2003 12:26 PM
To: Discussion about mythtv
Subject: Re: [mythtv-users] Preemptive Kernel Patch

Thus spake Monty Walls:
> Sure you can, just might not be smart, plus may require some fiddling
> with the actual code.  Since the only user is me, and it's
> not an externally exposed box (inside a firewalled, NATed network), it
> might be an acceptable risk...

Actually, many systems disable the ability to use a setuid shell script.

npozni at ripcord:~$ cat script 
#!/bin/bash
ls -l /
sleep 30

npozni at ripcord:~$ ls -l script 
-rwsr-xr-x    1 root     root           30 Feb 18 14:09 script*

(user npozni runs ./script)

If the script was running setuid, it would show up as running as root in
the process listing...

npozni   18405  0.2  0.2  2060  960 pts/4    S    14:09   0:00 /bin/bash
./script
npozni   18407  0.0  0.1  1708  452 pts/4    S    14:09   0:00 sleep 30

One way to get around this is to write a very simple C wrapper program
which is setuid, and serves no purpose other than to exec the intended
shell script.

-- 
Nathan Poznick <poznick at conwaycorp.net>

To swallow and follow, whether old doctrine or new propaganda, is a
weakness still dominating the human mind. - Charlotte P. Gillman

_______________________________________________
mythtv-users mailing list
mythtv-users at snowman.net
http://www.snowman.net/mailman/listinfo/mythtv-users