0

I've got a Perl test script, initiated with prove, that tests a backup script that requires root privileges so rsync can change the permissions on the files it downloaded from a remote server.

So I've got the following in my Mac's sudoers file:

root ALL=(ALL) ALL
%admin  ALL=(ALL) ALL
%admin ALL=(ALL) NOPASSWD:/path/to/prove

It works. But my question is, since prove can be used to run pretty much any perl script written by the local user, is this a huge security risk?

Improve this question
2
  • 2
    It' yes, because anyone can write a Perl script to run any command as root. Just don't do it. Commented Jan 23, 2018 at 2:58
  • this is no different to allowing perl or awk or bash or any other script interpreter to be run as root....and, as they can run other programs, it's equivalent to allowing ANY program to be run as root with any args. Commented Jan 23, 2018 at 4:33

1 Answer 1

Reset to default
3

Yes, that approach is insecure.

Write a specific wrapper that specifically runs your command which subsequently calls the prove, secure it so that only root can modify it, and put it somewhere only root can reach. Then, add that wrapper to the sudoers file.

Don't allow parameters in your script.

NB: Although, even that's open to abuse, if someone can modify either the first perl script, or the backup script. Have to ensure everything in the chain is modifiable only by root.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.