1 |
On Sunday 12 November 2006 06:29, Peter Volkov (pva) wrote: |
2 |
> On Sun, 2006-11-12 at 05:54 -0500, Mike Frysinger wrote: |
3 |
> > in the example usages you cited, people where using `sudo` to just |
4 |
> > avoid running `su -` first ... in other words, their sudo was |
5 |
> > unlimited ... updating the sudoers file to allow EDITOR via env_keep |
6 |
> > would work fine for them |
7 |
> > |
8 |
> > in that scenario, running any app via EDITOR is not a concern as they |
9 |
> > already have the ability to run any command |
10 |
> |
11 |
> That is right. And I've already raised concerns about this approach in |
12 |
> my mail: |
13 |
> http://thread.gmane.org/gmane.linux.gentoo.devel/44218/focus=44238 |
14 |
|
15 |
i dont see you discussing this approach at all |
16 |
|
17 |
> Do you know any way *how* to specify "safe" editors list inside sudoers? |
18 |
|
19 |
trying to maintain such a list is pointless as there will always be someone |
20 |
who likes to use some editor which is not specified in the list ... to answer |
21 |
your question though, i dont believe there is a way in sudoers to say "this |
22 |
env var may only contain XXX list of values" |
23 |
|
24 |
> I've spent some time and did not found how can I force sudo to edit |
25 |
> files with only known editors inside EDITOR. env_keep just keep env |
26 |
> variable and does not allow to specify "safe" editors list. I suppose |
27 |
> that this is impossible. |
28 |
|
29 |
i think you're confusing situations here ... trying to edit files should be |
30 |
done with `sudo -e` as that will use the user's EDITOR env var ... running |
31 |
`sudo crontab -e` is a different scenario as only crontab knows about the |
32 |
editing as it happens indirectly |
33 |
|
34 |
if you have the ability to edit root's crontab however, then you have full |
35 |
access to the machine ... that means you should be using env_keep in the |
36 |
sudoers file for the EDITOR var |
37 |
-mike |