- Point taken; you are correct. However sudo's job is specifically to get around those restrictions...
... which is why you have to be extremely careful with sudo. You either allow only trusted users to use sudo (which is a very common case if you have multiple admin accounts) or you only allow a handful of select programs, presumably programs that you know very well.
Unix has just one line of defense between between malicious local users and system administration: file permissions. These file permissions (and the code that checks them) have been developed and improved for over a decade. To think you can do better in a short perl script is a good example of hubris - in this case a very dangerous case.
If your script allows an attacker to break that single line of defense, it will be easy to break the rest of your system. That's why you shouldn't try to circumvent file permissions, but adapt them to your needs.
This was just a small rant to convince you not to do anything foolish with sudo. If you are still convinced that you want to use sudo, the usual hints apply (most of them are usually quoted in the context of web applications; the perl specific can be found in perlsec): use strict input checking. Use taint mode. Use whitelisting istead of blacklisting. Test your restrictions.
In reply to Re^3: semi secure sudo script to allow restricted copy ability
by moritz
in thread semi secure sudo script to allow restricted copy ability
by 5mi11er
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |