There has *got* to be a better way to do this

davidstvz · 08-23-2008, 08:07 PM

Quote:

Originally Posted by matthewg42

I'd like to add that the script there is really not programmed defensively. The only advantage over an suid script is that the people who are able to run it cannot look inside it to see what is happening, at least not directly (maybe they can trick it into printing itself).

Also, all graders are implicitly trusted not to mess with the student's files in a malicious way. There is no mechanism for the students to show that what has been marked is what they submitted. You could add some sort of signing or checksumming scheme for that I guess, where the student gets a sort of receipt which can be checked against what has been marked. That's a bit sinister though if you ask me - if the student cannot trust the grader, he/she is screwed either way.

Quite right

Ok, I'm sure one of those things will work.

What I was currently trying is being held up because students can't change the owner or group for the file except to a group they are already part of which is no help (stupid of me to think they could).

However, there is that sticky bit that was mentioned. I've heard of how I can have them dump something in a directory whereupon it will immediately change owners due to the sticky bit. That would definitely get me where I need to be.

The only thing better is if I could get sudoers working (it's amazing how terrible the examples for sudoers are on the web).

------------

Btw, first half of the Saints game is over... Saints defense actually looked good for once

so I'm in a good mood. It was mostly three and outs and the Bengals ultimately didn't score a single point (and looking at last year's record, they should have a pretty good offense). Now if I can just finish this program, there's a chance my Saturday night might even get better!

davidstvz · 08-23-2008, 08:25 PM

Quote:

Originally Posted by Mr. C.

Add this to your /etc/sudoers file, tailoring to your needs:

Code:

Cmnd_Alias       GRADEPROGS = /full/path/to/submission_prog, /full/path/to/other_prog
Runas_Alias      GRADEUSER  = grader
%students        ALL = (GRADEUSER) NOPASSWD: GRADEPROGS

* Change students to the group in which all students are members.
* Change the Cmnd_Alias paths to a comma-separated list of full path names to your submission/deletion program(s).
* Change grader to the grader's group.

Students then submit as:

Code:

sudo -u grader /full/path/to/submission_prog args.

This totally works. Thanks dude! And would you know it, a working example goes much further than a 10 page manual in helping me to understand how the sudo command works with the visudo file.

estabroo · 08-24-2008, 08:43 AM

You could use an ftp server to make a dropbox.

Takla · 08-24-2008, 09:06 AM

There's an application called "super"

Quote:

Super(1) is a setuid-root program that offers

o restricted setuid-root access to executables, adjustable
on a per-program and per-user basis;

o a relatively secure environment for scripts, so that well-written
scripts can be run as root (or some other uid/gid), without
unduly compromising security.

Sample uses:
- to call a script that allows users to use mount(8) on
cdrom's or floppy disks, but not other devices.

- to restrict which users, on which hosts, may execute a
setuid-root program.

- to call a script that allows users to send STOP/CONT
signals to certain jobs, but not others.

- to allow groups of trusted users (e.g. an "operator" group) complete
root access to sets of selected commands such as, say, line-printer
control commands, without giving away access to other commands,
and with full logging of all commands used.

It's probably in your distro repositories but if not you can obtain it from ftp://ftp.ucolick.org/pub/users/will/