From: Florian Philipp <lists@binarywings.net>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Allow non root users to edit files owned by root?
Date: Tue, 20 Dec 2011 18:20:19 +0100 [thread overview]
Message-ID: <4EF0C3D3.8020504@binarywings.net> (raw)
In-Reply-To: <4EF0BFC7.7040303@libertytrek.org>
[-- Attachment #1: Type: text/plain, Size: 1490 bytes --]
Am 20.12.2011 18:03, schrieb Tanstaafl:
> On 2011-12-20 11:00 AM, Florian Philipp <lists@binarywings.net> wrote:
>> You should probably also restrict which files can be edited (not
>> /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this
>> with globs. For example:
>> %sudoroot sudoedit/var/www/*
>
> Great, that helps... but...
>
> He wants to use nano, so I set this up for nano, but there is one little
> issue...
>
> He sometimes uses different flags with nano (ie, 'nano -wc filename') -
> is there a way to specify the use with or without flags? I know you can
> use:
>
> /bin/nano -* /etc/apache2/*,
>
> But this fails if no flags are specified.
>
Well, as I've said, using a /normal/ editor doesn't solve the problem
because you can use nano for opening a shell, thereby escalating your
privileges. You have to use rnano (or nano -R). This solution is not
really meant for the luxury of a full blown editor with arbitrary
arguments and capabilities. rnano doesn't read nanorc files, for
example. If you cannot agree on a common set of safe flags, you
shouldn't use sudo for this purpose.
In that case, I recommend Michael's proposed solution of ACLs or
probably group write access +setgid to the specific directories.
Alternatively, allow editing outside of the directory and something like
%sudoroot cp * /etc/apache/*
so that they can /commit/ their changes instead of editing directly.
Regards,
Florian Philipp
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
next prev parent reply other threads:[~2011-12-20 17:22 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-20 15:04 [gentoo-user] Allow non root users to edit files owned by root? Tanstaafl
2011-12-20 15:13 ` Michael Mol
2011-12-20 16:00 ` Florian Philipp
2011-12-20 17:03 ` Tanstaafl
2011-12-20 17:20 ` Florian Philipp [this message]
2011-12-20 18:20 ` Tanstaafl
2011-12-22 15:41 ` Tanstaafl
2011-12-22 15:46 ` James Broadhead
2011-12-20 16:51 ` Tanstaafl
2011-12-20 17:06 ` Michael Mol
2011-12-21 5:55 ` Walter Dnes
2011-12-21 19:07 ` Florian Philipp
2011-12-20 17:19 ` [gentoo-user] " Nikos Chantziaras
2011-12-22 15:44 ` Tanstaafl
2011-12-22 18:00 ` Nikos Chantziaras
2011-12-22 18:53 ` Tanstaafl
2011-12-22 19:21 ` Alan McKinnon
2011-12-22 19:33 ` Tanstaafl
2011-12-22 19:49 ` Alan McKinnon
2011-12-22 19:42 ` Nikos Chantziaras
2011-12-22 19:36 ` Nikos Chantziaras
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EF0C3D3.8020504@binarywings.net \
--to=lists@binarywings.net \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox