[KLUG Members] Allowing users to write to log file
Adam Tauno Williams
members@kalamazoolinux.org
Tue, 23 Oct 2001 15:43:39 -0400 (EDT)
>>I am writing a shell script that will indirectly append a users output
>>to a read only log file. I don't want the log file to be writable by
>the user.
>>To aproach this problem I wrote the user script and passed the output
>>to a script owned by root that will append to the log file. The log
>>file is not writable by the user. This process failed perhaps because
>>the user can't force the root file to give root priveleges on other
>>files. I changed the root file permissions to -rwsr-xr-x but with no
>success. Is there a way to allow a user to execute the root file so the
>>user read only file can be appended?
>1) You cannot make a SUID shell script in Linux, and you don't want
>to!!! There are major security holes that can be exploited no matter how
>well you write the script. You'd be giving your users total root
>access.
>I did something similar this way:
>I wrote a small C program to write to the log file.
>As a security precaution, I made the C program SUID to
>an dummy user, NOT ROOT! So I have the same permissions
>as -rwsr-xr-x but the script is owned by "fred" not root.
>And the log file is also owned by user "fred" -rw-------
>Then you can call the C program from a shell script or
>where ever you like.
Sheesh, what do I do these presentations for..... :)
http://www.kalamazoolinux.org/presentations/20000829/img14.htm
The "logger" facility lets an arbitrary process send messages via the syslog
facility system. Then the admin can tune what messages go where and you
script/program can worry about other things than manage-ing the log.
It is probably pretty much the same this as bruce's C program.
Systems and Network Administrator
Morrison Industries
1825 Monroe Ave NW
Grand Rapids, MI. 49505