1 |
On 12/22/2011 08:53 PM, Tanstaafl wrote: |
2 |
> On 2011-12-22 1:00 PM, Nikos Chantziaras <realnc@×××××.de> wrote: |
3 |
>> On 12/22/2011 05:44 PM, Tanstaafl wrote: |
4 |
>>> On 2011-12-20 12:19 PM, Nikos Chantziaras <realnc@×××××.de> wrote: |
5 |
>>>> If you allow someone to edit root owned files, you're practically |
6 |
>>>> giving |
7 |
>>>> him root access. |
8 |
>>> |
9 |
>>> Well, yeah, but only on those defined files... |
10 |
>> |
11 |
>> root access is global. You can't limit it. root is root, the all |
12 |
>> powerful Unix being. Period :-) |
13 |
> |
14 |
> Ummm... then what is the purpose of sudo?? |
15 |
|
16 |
sudo is for executing programs as another user. It is not for giving |
17 |
file permissions. |
18 |
|
19 |
|
20 |
> If I add the following line to sudoers: |
21 |
> |
22 |
> %sudoroot ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/* |
23 |
> |
24 |
> Are you saying that this does NOT limit anyone in the sudoroot group to |
25 |
> *only* be able to run the chmod command, and only on files located in |
26 |
> /var/www/localhost/htdocs? |
27 |
|
28 |
That doesn't seem to work at all here. But even if it did work, the |
29 |
users still gain full root access. Look at what users can do: |
30 |
|
31 |
cd /var/www/localhost/htdocs |
32 |
sudo chmod a+w some_directory |
33 |
cd some_directory |
34 |
ln /etc/passwd . |
35 |
sudo chmod a+w passwd |
36 |
|
37 |
There. He now has full write access to /etc/passwd. And with the same |
38 |
methodology, to every file in the system. |