Re: [gentoo-user] Allow non root users to edit files owned by root?

[Florian Philipp <lists@binarywings.net>]

[-- Attachment #1: Type: text/plain, Size: 2879 bytes --]

Am 21.12.2011 06:55, schrieb Walter Dnes:
> On Tue, Dec 20, 2011 at 11:51:11AM -0500, Tanstaafl wrote
>> On 2011-12-20 10:13 AM, Michael Mol <mikemol@gmail.com> wrote:
>>> So, incidentally, would 'sudo passwd root'...
>>
>> Ouch... any way to avoid that?
>>
>> I guess the best way would be to simply give them access to the commands 
>> they need...
>>
>> I'll look into that...
> 
>   Howsabout in sudoers giving them the right to execute 2 commands...
> 
> cat /etc/whatever > scratchfile (this one may not be necessary)
> cat scratchfile > /etc/whatever
> 

That doesn't work because redirection is not done by the sudoed process
but by the calling shell. You need to do something like this:
/bin/sh -c 'cat scratchfile > /etc/whatever'

>   The first command copies the contents of the file to whatever
> directory the user is in.  He can work on the copy using his regular
> privileges.  Note that I'm assuming the user does not have read
> privileges on the file.  If he does have read privileges, then the first
> command does not require sudoers.
> 
>   At the last step, he can send the finished copy back to the
> original file.  The sequence the user will have to follow is, logged in
> as regular user...
> 
> 1a) If he does *NOT* have read prileges to /etc/whatever
> touch scratchfile
> sudo cat /etc/whatever > scratchfile
> 
> 1b) If he *DOES* have read prileges to /etc/whatever
> cp /etc/whatever scratchfile
> 
> 
> 2) edit scratchfile *LOCALLY* with his favourite editor.  No need to
> worry about restricting an editor.
> 
> 3) sudo cat scratchfile > /etc/whatever
> 

I just double checked my assumption that sudoedit uses $EDITOR with root
access. While the man page doesn't state it, it seems that the editor is
called with normal user rights and sudo handles exactly the same
sequence you outlined above (using a temporary file owned by
$user:$user, chmod 0600). Therefore it seems you can safely use a normal
editor with sudoedit. Sorry for the confusion.

> Note the use of "cat", rather than "cp", when using sudo.  "cp" will
> copy the file attributes, including the fact that it's owned by the user
> doing the copying, e.g. sudo (as root) copies the file and it's owned by
> root (oops).  Ditto for "cat" when redirected *TO A NEW FILE*.  "touch"
> guarantees that the file will exist, and get overwritten by the content
> of /etc/whatever, but still retaining the fact that it's owned by the
> local user.
> 

I think you can get the same result with `cp --no-preserve=all` but
probably with higher performance (not that is makes a difference with
config files).

> If local user has read access to /etc/whatever, that makes things
> easier.  When he does "cp" as local user, the resulting file is owned by
> hin.  Edit at liesure, and send the result back with "cat".
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]