From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RdoDo-0004wW-Ba for garchives@archives.gentoo.org; Thu, 22 Dec 2011 19:22:33 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A4C3921C1DD; Thu, 22 Dec 2011 19:22:18 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 7560E21C19A for ; Thu, 22 Dec 2011 19:21:23 +0000 (UTC) Received: by wgbds1 with SMTP id ds1so15025786wgb.10 for ; Thu, 22 Dec 2011 11:21:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:organization :x-mailer:mime-version:content-type:content-transfer-encoding; bh=8VOspFgSkffjGu6kA1OSpVgF6C6xbZ6mpYbmRzkvOIk=; b=g8w8W3tAKoGMomtRfDQzTJCCLcIkJa9cNl99bVnNKqWDnsBA+OOloUsDd/FqtP2TNx 0JSvQMkqWsQ3CNsV5S3620NJXxIubSEBGwIMMlIAAxTG/HgcFZzNdi/dVJdB2oyuOA8c jiEVLYNBgnHKPNCxT5vPUWzH7p6ulULeKiZYE= Received: by 10.227.199.78 with SMTP id er14mr11690942wbb.10.1324581682707; Thu, 22 Dec 2011 11:21:22 -0800 (PST) Received: from rohan.example.com ([196.215.144.97]) by mx.google.com with ESMTPS id d17sm10794321wbh.19.2011.12.22.11.21.19 (version=SSLv3 cipher=OTHER); Thu, 22 Dec 2011 11:21:21 -0800 (PST) Date: Thu, 22 Dec 2011 21:21:07 +0200 From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Allow non root users to edit files owned by root? Message-ID: <20111222212107.2fcfba70@rohan.example.com> In-Reply-To: <4EF37CB7.1080400@libertytrek.org> References: <4EF0A415.8020007@libertytrek.org> <4EF3506B.5020802@libertytrek.org> <4EF37CB7.1080400@libertytrek.org> Organization: Internet Solutions X-Mailer: Claws Mail 3.7.8 (GTK+ 2.24.4; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: 071556e5-82a1-404d-b104-6e86ea7e5f46 X-Archives-Hash: 439600323f1fe68221de0a51c9dc2854 On Thu, 22 Dec 2011 13:53:43 -0500 Tanstaafl wrote: > On 2011-12-22 1:00 PM, Nikos Chantziaras wrote: > > On 12/22/2011 05:44 PM, Tanstaafl wrote: > >> On 2011-12-20 12:19 PM, Nikos Chantziaras wrote: > >>> If you allow someone to edit root owned files, you're practically > >>> giving him root access. > >> > >> Well, yeah, but only on those defined files... > > > > root access is global. You can't limit it. root is root, the all > > powerful Unix being. Period :-) > > Ummm... then what is the purpose of sudo?? The purpose of sudo is to provide *fine-grained* control of elevated privilege to users and groups. Few people seem to realize just how finely this can be controlled, most assume that sudo lets you become root and that's it. As with all things fine-grained, it can get very complex very quick. If you want to allow 5 commands to operate on 5 files, you have to make 25 allow statements (unless you can use some funky wildcard syntax). > > If I add the following line to sudoers: > > %sudoroot > ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/* > > Are you saying that this does NOT limit anyone in the sudoroot group > to *only* be able to run the chmod command, and only on files located > in /var/www/localhost/htdocs? Not quite, take out the word "only". When you say only, you exclude everything else and that is not true - you might have a second set of permissions somewhere else. The line you quoted does exactly what you said without the word "only" - it allows the action. Different commands and different files are outside the scope of that config line > > > Then you put the files in a special group and make them g+w, and > > add the affected users to that group. Then they will able to write > > to those files. If you want to give them write access to a whole > > directory, you put the directory in the group and make it g+w. This > > is how it's traditionally been done in Unix for ages, and it's > > extremely easy to set up. > > Yeah, I think I got a little tunnel vision trying to do this with > sudo. Permissions and right of access is hard. Few people know how to do it right, and you can't consider just sudo in isolation. sudo is one command in a whole system and you have to take that into account too. The method you use will depend more on everything else that machine can do than just on what sudo you can do. If you need to allow just one single user to access just one single directory, you are better off with using Posix ACLS (NOT regular owner, group and perms - that almost never works out right for www data) If you have many different users needing all sorts of different access to things, you might even consider SE-Linux. Just be prepared for huge amounts of customizing. But if it really is what you need, SE Linux is worth the sweat. -- Alan McKinnnon alan.mckinnon@gmail.com