From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RdRX5-0002rF-ED for garchives@archives.gentoo.org; Wed, 21 Dec 2011 19:08:55 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BECB421C0E3; Wed, 21 Dec 2011 19:08:42 +0000 (UTC) Received: from out3.smtp.messagingengine.com (out3.smtp.messagingengine.com [66.111.4.27]) by pigeon.gentoo.org (Postfix) with ESMTP id 904DB21C0E3 for ; Wed, 21 Dec 2011 19:07:38 +0000 (UTC) Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 2B4882150F for ; Wed, 21 Dec 2011 14:07:38 -0500 (EST) Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute1.internal (MEProxy); Wed, 21 Dec 2011 14:07:38 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=+Bu98WpakDr+kGI3/1mw9vsa jes=; b=Xhat4SYa6OkT0xDAIlZda/bqQyc/UZNSSzf/0soEHkhkgJCviuE57Nms QggfCDkxc8USPvVOOfhsZqYQCGxMnooVcbqXCOx4sFjT3UiAiVMebTXANbkvL2so HmQWtxkAIsF1oPoja6Zc+zyS4NJIy8VctnTyUvy4J6PH4fNesxY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=+Bu9 8WpakDr+kGI3/1mw9vsajes=; b=YwyyRkc0lEWsrBkyVy3OMV84Zv1kmE3JF4xF ZyH8p+jiEZavvSID5gFYnDTFQtphVUBdhhdy6DshlzfKfPjh/q1IMqwuWt5cjEj1 Qy5qu5agHeyq9+ppVWDSNIGs9EIdvC/CMWYICUI8y89581DiNQGf6eBNNe+yJ725 vtfIjEE= X-Sasl-enc: j+k1NBlEAXwe+9X+dM4RYXLyxf7BCb7QuWssRxFcg0sg 1324494457 Received: from [192.168.5.18] (serv.binarywings.net [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPSA id BEA9B8E01FB for ; Wed, 21 Dec 2011 14:07:36 -0500 (EST) Message-ID: <4EF22E70.4040503@binarywings.net> Date: Wed, 21 Dec 2011 20:07:28 +0100 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111211 Thunderbird/8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Allow non root users to edit files owned by root? References: <4EF0A415.8020007@libertytrek.org> <4EF0BCFF.8090301@libertytrek.org> <20111221055507.GA25576@waltdnes.org> In-Reply-To: <20111221055507.GA25576@waltdnes.org> X-Enigmail-Version: 1.3.3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig12D2710C1114BCE7A02BBA17" X-Archives-Salt: dc14e5b4-aa7a-43e2-a0db-d354264b34b2 X-Archives-Hash: 673067811b2d1737bf20798ba524fc02 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig12D2710C1114BCE7A02BBA17 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 21.12.2011 06:55, schrieb Walter Dnes: > On Tue, Dec 20, 2011 at 11:51:11AM -0500, Tanstaafl wrote >> On 2011-12-20 10:13 AM, Michael Mol wrote: >>> So, incidentally, would 'sudo passwd root'... >> >> Ouch... any way to avoid that? >> >> I guess the best way would be to simply give them access to the comman= ds=20 >> they need... >> >> I'll look into that... >=20 > Howsabout in sudoers giving them the right to execute 2 commands... >=20 > cat /etc/whatever > scratchfile (this one may not be necessary) > cat scratchfile > /etc/whatever >=20 That doesn't work because redirection is not done by the sudoed process but by the calling shell. You need to do something like this: /bin/sh -c 'cat scratchfile > /etc/whatever' > The first command copies the contents of the file to whatever > directory the user is in. He can work on the copy using his regular > privileges. Note that I'm assuming the user does not have read > privileges on the file. If he does have read privileges, then the firs= t > command does not require sudoers. >=20 > At the last step, he can send the finished copy back to the > original file. The sequence the user will have to follow is, logged in= > as regular user... >=20 > 1a) If he does *NOT* have read prileges to /etc/whatever > touch scratchfile > sudo cat /etc/whatever > scratchfile >=20 > 1b) If he *DOES* have read prileges to /etc/whatever > cp /etc/whatever scratchfile >=20 >=20 > 2) edit scratchfile *LOCALLY* with his favourite editor. No need to > worry about restricting an editor. >=20 > 3) sudo cat scratchfile > /etc/whatever >=20 I just double checked my assumption that sudoedit uses $EDITOR with root access. While the man page doesn't state it, it seems that the editor is called with normal user rights and sudo handles exactly the same sequence you outlined above (using a temporary file owned by $user:$user, chmod 0600). Therefore it seems you can safely use a normal editor with sudoedit. Sorry for the confusion. > Note the use of "cat", rather than "cp", when using sudo. "cp" will > copy the file attributes, including the fact that it's owned by the use= r > doing the copying, e.g. sudo (as root) copies the file and it's owned b= y > root (oops). Ditto for "cat" when redirected *TO A NEW FILE*. "touch"= > guarantees that the file will exist, and get overwritten by the content= > of /etc/whatever, but still retaining the fact that it's owned by the > local user. >=20 I think you can get the same result with `cp --no-preserve=3Dall` but probably with higher performance (not that is makes a difference with config files). > If local user has read access to /etc/whatever, that makes things > easier. When he does "cp" as local user, the resulting file is owned b= y > hin. Edit at liesure, and send the result back with "cat". >=20 --------------enig12D2710C1114BCE7A02BBA17 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7yLnUACgkQqs4uOUlOuU+CegCeJ5PjXX4T4VORklR1fHK48Fk5 3dQAn1Zm5SSGMMMpUL1rz58Pyuegj/gj =iDLG -----END PGP SIGNATURE----- --------------enig12D2710C1114BCE7A02BBA17--