From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-132754-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RdnnB-0006MM-FX
	for garchives@archives.gentoo.org; Thu, 22 Dec 2011 18:55:01 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E27BE21C1A7;
	Thu, 22 Dec 2011 18:54:52 +0000 (UTC)
Received: from homiemail-a52.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5])
	by pigeon.gentoo.org (Postfix) with ESMTP id 86BFE21C090
	for <gentoo-user@lists.gentoo.org>; Thu, 22 Dec 2011 18:53:51 +0000 (UTC)
Received: from homiemail-a52.g.dreamhost.com (localhost [127.0.0.1])
	by homiemail-a52.g.dreamhost.com (Postfix) with ESMTP id C6A946B80FF
	for <gentoo-user@lists.gentoo.org>; Thu, 22 Dec 2011 10:53:44 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=libertytrek.org; h=message-id
	:date:from:mime-version:to:subject:references:in-reply-to
	:content-type:content-transfer-encoding; q=dns; s=
	libertytrek.org; b=Dq70qWXUHUtOcaft/FFo/V5GLCi6cQzWRwYAeey2MpAs/
	ciBHGv6ewT1XiIjtCFXGwx/rf/CNNKHNRW4GaXeDFNmhn5tXv3dtSArSZ00uJPhg
	tU414ewEwqClH7//zvkToKrbG45/G/RojYIYM4oGAxqMZXfOHZudxQp7/K9o8w=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=libertytrek.org; h=
	message-id:date:from:mime-version:to:subject:references
	:in-reply-to:content-type:content-transfer-encoding; s=
	libertytrek.org; bh=BsiaDPVQbAJRu5TUxqGEb+8Ezww=; b=xyvGqCNfnx5t
	6X1ndtDow7vKUdjQi3XTRdYwdsb1/DK0zLOEllB46ECL3+pt8RxloQrLLV8r4zap
	HMxjqACHeJnSjilXwA4CANd8GO3Ylo05eDEd+p2mHHFp3MoeGhhDgD71QfHgIqBG
	4sek2WLsH4KbqdVEdhmOAS9wr9S9iVE=
Received: from [127.0.0.1] (smtp.media-brokers.com [70.43.81.99])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: tanstaafl@libertytrek.org)
	by homiemail-a52.g.dreamhost.com (Postfix) with ESMTPSA id E4ED56B8120
	for <gentoo-user@lists.gentoo.org>; Thu, 22 Dec 2011 10:53:36 -0800 (PST)
Message-ID: <4EF37CB7.1080400@libertytrek.org>
Date: Thu, 22 Dec 2011 13:53:43 -0500
From: Tanstaafl <tanstaafl@libertytrek.org>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0) Gecko/20111220 Thunderbird/9.0
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: Allow non root users to edit files owned by
 root?
References: <4EF0A415.8020007@libertytrek.org> <jcqg2j$7k8$1@dough.gmane.org> <4EF3506B.5020802@libertytrek.org> <jcvr6h$8ir$1@dough.gmane.org>
In-Reply-To: <jcvr6h$8ir$1@dough.gmane.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 0628ef10-284f-46e2-86f1-9c5bfa789f93
X-Archives-Hash: 4063b795b92f10b0c95672fc94f7d9ca

On 2011-12-22 1:00 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
> On 12/22/2011 05:44 PM, Tanstaafl wrote:
>> On 2011-12-20 12:19 PM, Nikos Chantziaras <realnc@arcor.de> wrote:
>>> If you allow someone to edit root owned files, you're practically giving
>>> him root access.
>>
>> Well, yeah, but only on those defined files...
>
> root access is global. You can't limit it. root is root, the all
> powerful Unix being. Period :-)

Ummm... then what is the purpose of sudo??

If I add the following line to sudoers:

%sudoroot       ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/*

Are you saying that this does NOT limit anyone in the sudoroot group to 
*only* be able to run the chmod command, and only on files located in 
/var/www/localhost/htdocs?

> Then you put the files in a special group and make them g+w, and add the
> affected users to that group. Then they will able to write to those
> files. If you want to give them write access to a whole directory, you
> put the directory in the group and make it g+w. This is how it's
> traditionally been done in Unix for ages, and it's extremely easy to set
> up.

Yeah, I think I got a little tunnel vision trying to do this with sudo.