This article describes a number of best practices for allowing users to execute programs as another user when implementing BoKS in your organization.
Executing programs as another user
For system administration it is often useful to allow one user to execute a program as another user, typically root. BoKS has the suexec program that makes it possible to allow a user to execute a program as another user.
You can set up the allowed programs, the name of the other user, and on what machines to allow this using access routes. What is lacking is argument control.
If this is needed, you must add this yourself, and you must make sure there are no security holes in allowing the user to execute the given program especially if the program is a shell script (the BoKS suexec program will remove most environment variables to disable the most common ways to break shell scripts).
Recommended best practice:
Create a program in a separate directory that checks its input arguments before executing the actual command.
Never give access to a program that allows the possibility to execute other commands at will.
Still have questions? We can help. Submit a case to Technical Support.