| 1 |
On Sunday 12 November 2006 06:29, Peter Volkov (pva) wrote: |
| 2 |
> On Sun, 2006-11-12 at 05:54 -0500, Mike Frysinger wrote: |
| 3 |
> > in the example usages you cited, people where using `sudo` to just |
| 4 |
> > avoid running `su -` first ... in other words, their sudo was |
| 5 |
> > unlimited ... updating the sudoers file to allow EDITOR via env_keep |
| 6 |
> > would work fine for them |
| 7 |
> > |
| 8 |
> > in that scenario, running any app via EDITOR is not a concern as they |
| 9 |
> > already have the ability to run any command |
| 10 |
> |
| 11 |
> That is right. And I've already raised concerns about this approach in |
| 12 |
> my mail: |
| 13 |
> http://thread.gmane.org/gmane.linux.gentoo.devel/44218/focus=44238 |
| 14 |
|
| 15 |
i dont see you discussing this approach at all |
| 16 |
|
| 17 |
> Do you know any way *how* to specify "safe" editors list inside sudoers? |
| 18 |
|
| 19 |
trying to maintain such a list is pointless as there will always be someone |
| 20 |
who likes to use some editor which is not specified in the list ... to answer |
| 21 |
your question though, i dont believe there is a way in sudoers to say "this |
| 22 |
env var may only contain XXX list of values" |
| 23 |
|
| 24 |
> I've spent some time and did not found how can I force sudo to edit |
| 25 |
> files with only known editors inside EDITOR. env_keep just keep env |
| 26 |
> variable and does not allow to specify "safe" editors list. I suppose |
| 27 |
> that this is impossible. |
| 28 |
|
| 29 |
i think you're confusing situations here ... trying to edit files should be |
| 30 |
done with `sudo -e` as that will use the user's EDITOR env var ... running |
| 31 |
`sudo crontab -e` is a different scenario as only crontab knows about the |
| 32 |
editing as it happens indirectly |
| 33 |
|
| 34 |
if you have the ability to edit root's crontab however, then you have full |
| 35 |
access to the machine ... that means you should be using env_keep in the |
| 36 |
sudoers file for the EDITOR var |
| 37 |
-mike |
Archives