From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from <gentoo-user+bounces-132754-garchives=archives.gentoo.org@lists.gentoo.org>) id 1RdnnB-0006MM-FX for garchives@archives.gentoo.org; Thu, 22 Dec 2011 18:55:01 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E27BE21C1A7; Thu, 22 Dec 2011 18:54:52 +0000 (UTC) Received: from homiemail-a52.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by pigeon.gentoo.org (Postfix) with ESMTP id 86BFE21C090 for <gentoo-user@lists.gentoo.org>; Thu, 22 Dec 2011 18:53:51 +0000 (UTC) Received: from homiemail-a52.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a52.g.dreamhost.com (Postfix) with ESMTP id C6A946B80FF for <gentoo-user@lists.gentoo.org>; Thu, 22 Dec 2011 10:53:44 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=libertytrek.org; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s= libertytrek.org; b=Dq70qWXUHUtOcaft/FFo/V5GLCi6cQzWRwYAeey2MpAs/ ciBHGv6ewT1XiIjtCFXGwx/rf/CNNKHNRW4GaXeDFNmhn5tXv3dtSArSZ00uJPhg tU414ewEwqClH7//zvkToKrbG45/G/RojYIYM4oGAxqMZXfOHZudxQp7/K9o8w= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=libertytrek.org; h= message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; s= libertytrek.org; bh=BsiaDPVQbAJRu5TUxqGEb+8Ezww=; b=xyvGqCNfnx5t 6X1ndtDow7vKUdjQi3XTRdYwdsb1/DK0zLOEllB46ECL3+pt8RxloQrLLV8r4zap HMxjqACHeJnSjilXwA4CANd8GO3Ylo05eDEd+p2mHHFp3MoeGhhDgD71QfHgIqBG 4sek2WLsH4KbqdVEdhmOAS9wr9S9iVE= Received: from [127.0.0.1] (smtp.media-brokers.com [70.43.81.99]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: tanstaafl@libertytrek.org) by homiemail-a52.g.dreamhost.com (Postfix) with ESMTPSA id E4ED56B8120 for <gentoo-user@lists.gentoo.org>; Thu, 22 Dec 2011 10:53:36 -0800 (PST) Message-ID: <4EF37CB7.1080400@libertytrek.org> Date: Thu, 22 Dec 2011 13:53:43 -0500 From: Tanstaafl <tanstaafl@libertytrek.org> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0) Gecko/20111220 Thunderbird/9.0 Precedence: bulk List-Post: <mailto:gentoo-user@lists.gentoo.org> List-Help: <mailto:gentoo-user+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-user.gentoo.org> X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Allow non root users to edit files owned by root? References: <4EF0A415.8020007@libertytrek.org> <jcqg2j$7k8$1@dough.gmane.org> <4EF3506B.5020802@libertytrek.org> <jcvr6h$8ir$1@dough.gmane.org> In-Reply-To: <jcvr6h$8ir$1@dough.gmane.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 0628ef10-284f-46e2-86f1-9c5bfa789f93 X-Archives-Hash: 4063b795b92f10b0c95672fc94f7d9ca On 2011-12-22 1:00 PM, Nikos Chantziaras <realnc@arcor.de> wrote: > On 12/22/2011 05:44 PM, Tanstaafl wrote: >> On 2011-12-20 12:19 PM, Nikos Chantziaras <realnc@arcor.de> wrote: >>> If you allow someone to edit root owned files, you're practically giving >>> him root access. >> >> Well, yeah, but only on those defined files... > > root access is global. You can't limit it. root is root, the all > powerful Unix being. Period :-) Ummm... then what is the purpose of sudo?? If I add the following line to sudoers: %sudoroot ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/* Are you saying that this does NOT limit anyone in the sudoroot group to *only* be able to run the chmod command, and only on files located in /var/www/localhost/htdocs? > Then you put the files in a special group and make them g+w, and add the > affected users to that group. Then they will able to write to those > files. If you want to give them write access to a whole directory, you > put the directory in the group and make it g+w. This is how it's > traditionally been done in Unix for ages, and it's extremely easy to set > up. Yeah, I think I got a little tunnel vision trying to do this with sudo.