| 1 |
On 12/22/2011 08:53 PM, Tanstaafl wrote: |
| 2 |
> On 2011-12-22 1:00 PM, Nikos Chantziaras <realnc@×××××.de> wrote: |
| 3 |
>> On 12/22/2011 05:44 PM, Tanstaafl wrote: |
| 4 |
>>> On 2011-12-20 12:19 PM, Nikos Chantziaras <realnc@×××××.de> wrote: |
| 5 |
>>>> If you allow someone to edit root owned files, you're practically |
| 6 |
>>>> giving |
| 7 |
>>>> him root access. |
| 8 |
>>> |
| 9 |
>>> Well, yeah, but only on those defined files... |
| 10 |
>> |
| 11 |
>> root access is global. You can't limit it. root is root, the all |
| 12 |
>> powerful Unix being. Period :-) |
| 13 |
> |
| 14 |
> Ummm... then what is the purpose of sudo?? |
| 15 |
|
| 16 |
sudo is for executing programs as another user. It is not for giving |
| 17 |
file permissions. |
| 18 |
|
| 19 |
|
| 20 |
> If I add the following line to sudoers: |
| 21 |
> |
| 22 |
> %sudoroot ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/* |
| 23 |
> |
| 24 |
> Are you saying that this does NOT limit anyone in the sudoroot group to |
| 25 |
> *only* be able to run the chmod command, and only on files located in |
| 26 |
> /var/www/localhost/htdocs? |
| 27 |
|
| 28 |
That doesn't seem to work at all here. But even if it did work, the |
| 29 |
users still gain full root access. Look at what users can do: |
| 30 |
|
| 31 |
cd /var/www/localhost/htdocs |
| 32 |
sudo chmod a+w some_directory |
| 33 |
cd some_directory |
| 34 |
ln /etc/passwd . |
| 35 |
sudo chmod a+w passwd |
| 36 |
|
| 37 |
There. He now has full write access to /etc/passwd. And with the same |
| 38 |
methodology, to every file in the system. |
Archives