From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from <gentoo-user+bounces-132695-garchives=archives.gentoo.org@lists.gentoo.org>) id 1RdFAi-0007D9-Qx for garchives@archives.gentoo.org; Wed, 21 Dec 2011 05:57:01 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9D76821C06F; Wed, 21 Dec 2011 05:56:43 +0000 (UTC) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 6349121C043 for <gentoo-user@lists.gentoo.org>; Wed, 21 Dec 2011 05:55:41 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EAD108U5FpZ9g/2dsb2JhbABDrBKBBoFyAQEFOhwzCxgcEhQNGDe/VYN9hHiCN2MEiDeETikBh0+FX4URgxCEUQ X-IronPort-AV: E=Sophos;i="4.71,386,1320642000"; d="scan'208";a="153234370" Received: from 69-165-159-96.dsl.teksavvy.com (HELO waltdnes.org) ([69.165.159.96]) by ironport2-out.teksavvy.com with SMTP; 21 Dec 2011 00:55:39 -0500 Received: by waltdnes.org (sSMTP sendmail emulation); Wed, 21 Dec 2011 00:55:08 -0500 From: "Walter Dnes" <waltdnes@waltdnes.org> Date: Wed, 21 Dec 2011 00:55:07 -0500 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Allow non root users to edit files owned by root? Message-ID: <20111221055507.GA25576@waltdnes.org> References: <4EF0A415.8020007@libertytrek.org> <CA+czFiBbUJdk5W-fCGNecektdA+mn_jzb46eXnUk=5gjUD=NmQ@mail.gmail.com> <4EF0BCFF.8090301@libertytrek.org> Precedence: bulk List-Post: <mailto:gentoo-user@lists.gentoo.org> List-Help: <mailto:gentoo-user+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-user.gentoo.org> X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4EF0BCFF.8090301@libertytrek.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: 4931e111-bcf7-44dc-90b6-ae8bb0a0d7b9 X-Archives-Hash: cbb4d69f7afe1eb8dc2c114413f99b67 On Tue, Dec 20, 2011 at 11:51:11AM -0500, Tanstaafl wrote > On 2011-12-20 10:13 AM, Michael Mol <mikemol@gmail.com> wrote: > > So, incidentally, would 'sudo passwd root'... > > Ouch... any way to avoid that? > > I guess the best way would be to simply give them access to the commands > they need... > > I'll look into that... Howsabout in sudoers giving them the right to execute 2 commands... cat /etc/whatever > scratchfile (this one may not be necessary) cat scratchfile > /etc/whatever The first command copies the contents of the file to whatever directory the user is in. He can work on the copy using his regular privileges. Note that I'm assuming the user does not have read privileges on the file. If he does have read privileges, then the first command does not require sudoers. At the last step, he can send the finished copy back to the original file. The sequence the user will have to follow is, logged in as regular user... 1a) If he does *NOT* have read prileges to /etc/whatever touch scratchfile sudo cat /etc/whatever > scratchfile 1b) If he *DOES* have read prileges to /etc/whatever cp /etc/whatever scratchfile 2) edit scratchfile *LOCALLY* with his favourite editor. No need to worry about restricting an editor. 3) sudo cat scratchfile > /etc/whatever Note the use of "cat", rather than "cp", when using sudo. "cp" will copy the file attributes, including the fact that it's owned by the user doing the copying, e.g. sudo (as root) copies the file and it's owned by root (oops). Ditto for "cat" when redirected *TO A NEW FILE*. "touch" guarantees that the file will exist, and get overwritten by the content of /etc/whatever, but still retaining the fact that it's owned by the local user. If local user has read access to /etc/whatever, that makes things easier. When he does "cp" as local user, the resulting file is owned by hin. Edit at liesure, and send the result back with "cat". -- Walter Dnes <waltdnes@waltdnes.org>