From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from <gentoo-user+bounces-132672-garchives=archives.gentoo.org@lists.gentoo.org>) id 1Rd27x-0005fn-Oq for garchives@archives.gentoo.org; Tue, 20 Dec 2011 16:01:18 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DF9BD21C1B6; Tue, 20 Dec 2011 16:01:07 +0000 (UTC) Received: from out5.smtp.messagingengine.com (out5.smtp.messagingengine.com [66.111.4.29]) by pigeon.gentoo.org (Postfix) with ESMTP id DC40D21C192 for <gentoo-user@lists.gentoo.org>; Tue, 20 Dec 2011 16:00:11 +0000 (UTC) Received: from compute4.internal (compute4.nyi.mail.srv.osa [10.202.2.44]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 94020215DA for <gentoo-user@lists.gentoo.org>; Tue, 20 Dec 2011 11:00:11 -0500 (EST) Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute4.internal (MEProxy); Tue, 20 Dec 2011 11:00:11 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=ytJ4HMpcqsxHe72HigJVYne4 mjw=; b=m23DsOjhpAWVkvywfLQJeUyIsihwXqdbpV5+Fe+77gCHQDERpaRsk2oR oTeXYnFYeOtuJ7H70eNyTSsYFrq7ajsiiFGtNBq4dfpRph+bqpHxRpjg0+c3XWyM 5C8bl2Hg8ogPzatPl4AnPTCftJCDvaur7BQ1lzxVZd5Nt9ZQQ5c= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=ytJ4 HMpcqsxHe72HigJVYne4mjw=; b=fLHPAf54eoOUFZ6O6vfZUjAFcc+ZsuBhMrXf lyzP8PSRrdVx3mPlzlH4/Ws3/BbwQIWKDejfGYkCG76HHA3/SzGhZehV2Rwbcds7 VenEDOGyELoV25cRckZ7ibxN5NumbCQu6XaFjDfnPAUqbtAfEY6gcKxBm13vOSkm osU0SAg= X-Sasl-enc: EGxA8Ajo7Uj0+tpzDMvvlNfPTd3LSRLZAZfpJvXPjg0Y 1324396810 Received: from [192.168.5.18] (serv.binarywings.net [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPSA id 8256D8E0229 for <gentoo-user@lists.gentoo.org>; Tue, 20 Dec 2011 11:00:10 -0500 (EST) Message-ID: <4EF0B101.3060709@binarywings.net> Date: Tue, 20 Dec 2011 17:00:01 +0100 From: Florian Philipp <lists@binarywings.net> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111211 Thunderbird/8.0 Precedence: bulk List-Post: <mailto:gentoo-user@lists.gentoo.org> List-Help: <mailto:gentoo-user+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-user.gentoo.org> X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Allow non root users to edit files owned by root? References: <4EF0A415.8020007@libertytrek.org> <CA+czFiBbUJdk5W-fCGNecektdA+mn_jzb46eXnUk=5gjUD=NmQ@mail.gmail.com> In-Reply-To: <CA+czFiBbUJdk5W-fCGNecektdA+mn_jzb46eXnUk=5gjUD=NmQ@mail.gmail.com> X-Enigmail-Version: 1.3.3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig49CA717197A847A485091982" X-Archives-Salt: fbf401d4-f1a1-497e-a8a6-98145e1a87b0 X-Archives-Hash: 54047f8d90b3892bd4f717dce404f49c This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig49CA717197A847A485091982 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 20.12.2011 16:13, schrieb Michael Mol: > On Tue, Dec 20, 2011 at 10:04 AM, Tanstaafl <tanstaafl@libertytrek.org>= wrote: >> Hi all, >> >> I'm guessing this is a sudo question, but I'm unfamiliar with the nuan= ces of >> sudo (never had to use it before). >> >> I have a new hosted VM server that I want to allow a user to be able t= o edit >> files owned by root, but without giving them the root password. >> >> I already did: >> >> /usr/sbin/visudo >> >> and added the following line: >> >> %sudoroot ALL=3D(ALL) ALL >> >> and made sure the user is in this group, but they still get an access = denied >> error when trying to mv or cp files that are owned bu root. >> >> What is the best way to do this? I'd really prefer to not give them th= e root >> password so they can su -... >=20 > The sudo command allows commands to be executed *as though they were ro= ot*. >=20 > 'sudo su -' would work. So would 'sudo mv src dst'. >=20 > So, incidentally, would 'sudo passwd root'... >=20 For file editing alone, you can allow rights to sudoedit, for example: %sudoroot sudoedit This allows sudoroot members to execute `sudoedit $file` which starts an editor (defined via environment variable EDITOR) with the file in a save fashion (similar to visudo). But you also have to restrict the editors because most of them are able to spawn a shell (which would then have root rights). Restricted editors like `rnano` or `rvim` circumvent this issue. To do this, set something like this in your sudoers file: editor=3Drnano:rvim You should probably also restrict which files can be edited (not /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this with globs. For example: %sudoroot sudoedit /var/www/* Hope this helps, Florian Philipp --------------enig49CA717197A847A485091982 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7wsQYACgkQqs4uOUlOuU9fAgCfYKPEshLxtsYLbe5K7/ITa6L/ 8mQAn0Twl9Nd3117UPhirHEjbcynt45t =ab+x -----END PGP SIGNATURE----- --------------enig49CA717197A847A485091982--