From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RdoT8-00088I-EL for garchives@archives.gentoo.org; Thu, 22 Dec 2011 19:38:22 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 710A821C1D1; Thu, 22 Dec 2011 19:38:03 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 596D421C26E for ; Thu, 22 Dec 2011 19:36:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id DFD8E1B403B for ; Thu, 22 Dec 2011 19:36:28 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -3.984 X-Spam-Level: X-Spam-Status: No, score=-3.984 tagged_above=-999 required=5.5 tests=[AWL=0.517, BAYES_00=-1.9, FREEMAIL_FROM=0.001, RP_MATCHES_RCVD=-2.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vq548AxRCsjf for ; Thu, 22 Dec 2011 19:36:18 +0000 (UTC) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by smtp.gentoo.org (Postfix) with ESMTP id A98CF1B402E for ; Thu, 22 Dec 2011 19:36:18 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1RdoR6-0007bb-6O for gentoo-user@gentoo.org; Thu, 22 Dec 2011 20:36:16 +0100 Received: from athedsl-377772.home.otenet.gr ([79.131.27.170]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 22 Dec 2011 20:36:16 +0100 Received: from realnc by athedsl-377772.home.otenet.gr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 22 Dec 2011 20:36:16 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: Nikos Chantziaras Subject: [gentoo-user] Re: Allow non root users to edit files owned by root? Date: Thu, 22 Dec 2011 21:36:11 +0200 Organization: Lucas Barks Message-ID: References: <4EF0A415.8020007@libertytrek.org> <4EF3506B.5020802@libertytrek.org> <4EF37CB7.1080400@libertytrek.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: athedsl-377772.home.otenet.gr User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111117 Thunderbird/8.0 In-Reply-To: <4EF37CB7.1080400@libertytrek.org> X-Archives-Salt: 7890f20d-7fb6-4ee0-8e95-145dcecc9009 X-Archives-Hash: 07d0ef6431ed35a8f12340b81a499d31 On 12/22/2011 08:53 PM, Tanstaafl wrote: > On 2011-12-22 1:00 PM, Nikos Chantziaras wrote: >> On 12/22/2011 05:44 PM, Tanstaafl wrote: >>> On 2011-12-20 12:19 PM, Nikos Chantziaras wrote: >>>> If you allow someone to edit root owned files, you're practically >>>> giving >>>> him root access. >>> >>> Well, yeah, but only on those defined files... >> >> root access is global. You can't limit it. root is root, the all >> powerful Unix being. Period :-) > > Ummm... then what is the purpose of sudo?? sudo is for executing programs as another user. It is not for giving file permissions. > If I add the following line to sudoers: > > %sudoroot ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/* > > Are you saying that this does NOT limit anyone in the sudoroot group to > *only* be able to run the chmod command, and only on files located in > /var/www/localhost/htdocs? That doesn't seem to work at all here. But even if it did work, the users still gain full root access. Look at what users can do: cd /var/www/localhost/htdocs sudo chmod a+w some_directory cd some_directory ln /etc/passwd . sudo chmod a+w passwd There. He now has full write access to /etc/passwd. And with the same methodology, to every file in the system.