From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Rd3OG-0006mD-W1 for garchives@archives.gentoo.org; Tue, 20 Dec 2011 17:22:13 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EB1D421C21E; Tue, 20 Dec 2011 17:21:54 +0000 (UTC) Received: from out5.smtp.messagingengine.com (out5.smtp.messagingengine.com [66.111.4.29]) by pigeon.gentoo.org (Postfix) with ESMTP id 5DA9A21C1E6 for ; Tue, 20 Dec 2011 17:20:28 +0000 (UTC) Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 131E12169F for ; Tue, 20 Dec 2011 12:20:28 -0500 (EST) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute2.internal (MEProxy); Tue, 20 Dec 2011 12:20:28 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=qNUonwqJbDtet59KWCGLinmZ 9DA=; b=cLscESPGrehpLDLV7AgRVRlu/L5dsHYPuINrfw+RgyDxbewj8ZBaCBpY l8exURAg0EguR0ps4i6MUvqseIOH3oQrEoyg5tBr/z6n6SxEw2vsDPv9F63OZ8J5 J4busBPet4KC5au0pTTypcu4m8Gre3BR18/pbVMClFoYCIxW7K4= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=qNUo nwqJbDtet59KWCGLinmZ9DA=; b=pvEWPVgu7dutFBZObT2JaQONNmi5/vzuiuKb Ksr09t4KH87pMkBCsNJtoCiioXQ6ck7epsLOBILw7/BkzUShkE56V0fa/nJNAGkn 21QrK/8olNzkVKtI2QuU7t+mcGeYQ42arHHxRA5pwqyHTymS7YPXSew2yowOpMwz D9RZr8M= X-Sasl-enc: DF14if5+u/NA4mALyxzWLs7df68YP4me1H6LtQv5UH+v 1324401627 Received: from [192.168.5.18] (serv.binarywings.net [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPSA id 053094825A3 for ; Tue, 20 Dec 2011 12:20:26 -0500 (EST) Message-ID: <4EF0C3D3.8020504@binarywings.net> Date: Tue, 20 Dec 2011 18:20:19 +0100 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111211 Thunderbird/8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Allow non root users to edit files owned by root? References: <4EF0A415.8020007@libertytrek.org> <4EF0B101.3060709@binarywings.net> <4EF0BFC7.7040303@libertytrek.org> In-Reply-To: <4EF0BFC7.7040303@libertytrek.org> X-Enigmail-Version: 1.3.3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig8470F9917B9E23905C37F961" X-Archives-Salt: 8d68d017-24d1-4041-a816-9aea526a67db X-Archives-Hash: dcd73456018cb8fd35c7bfb85857777d This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig8470F9917B9E23905C37F961 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 20.12.2011 18:03, schrieb Tanstaafl: > On 2011-12-20 11:00 AM, Florian Philipp wrote: >> You should probably also restrict which files can be edited (not >> /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this >> with globs. For example: >> %sudoroot sudoedit/var/www/* >=20 > Great, that helps... but... >=20 > He wants to use nano, so I set this up for nano, but there is one littl= e > issue... >=20 > He sometimes uses different flags with nano (ie, 'nano -wc filename') -= > is there a way to specify the use with or without flags? I know you can= > use: >=20 > /bin/nano -* /etc/apache2/*, >=20 > But this fails if no flags are specified. >=20 Well, as I've said, using a /normal/ editor doesn't solve the problem because you can use nano for opening a shell, thereby escalating your privileges. You have to use rnano (or nano -R). This solution is not really meant for the luxury of a full blown editor with arbitrary arguments and capabilities. rnano doesn't read nanorc files, for example. If you cannot agree on a common set of safe flags, you shouldn't use sudo for this purpose. In that case, I recommend Michael's proposed solution of ACLs or probably group write access +setgid to the specific directories. Alternatively, allow editing outside of the directory and something like %sudoroot cp * /etc/apache/* so that they can /commit/ their changes instead of editing directly. Regards, Florian Philipp --------------enig8470F9917B9E23905C37F961 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7ww9gACgkQqs4uOUlOuU+uIQCdHW0D5WwwLHsuKSSB6s3GVLZO ciIAn3KDqJTu4Fu63wzqPbRCg9W4yHOZ =VHdm -----END PGP SIGNATURE----- --------------enig8470F9917B9E23905C37F961--