| 1 |
Am 20.12.2011 16:13, schrieb Michael Mol: |
| 2 |
> On Tue, Dec 20, 2011 at 10:04 AM, Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
| 3 |
>> Hi all, |
| 4 |
>> |
| 5 |
>> I'm guessing this is a sudo question, but I'm unfamiliar with the nuances of |
| 6 |
>> sudo (never had to use it before). |
| 7 |
>> |
| 8 |
>> I have a new hosted VM server that I want to allow a user to be able to edit |
| 9 |
>> files owned by root, but without giving them the root password. |
| 10 |
>> |
| 11 |
>> I already did: |
| 12 |
>> |
| 13 |
>> /usr/sbin/visudo |
| 14 |
>> |
| 15 |
>> and added the following line: |
| 16 |
>> |
| 17 |
>> %sudoroot ALL=(ALL) ALL |
| 18 |
>> |
| 19 |
>> and made sure the user is in this group, but they still get an access denied |
| 20 |
>> error when trying to mv or cp files that are owned bu root. |
| 21 |
>> |
| 22 |
>> What is the best way to do this? I'd really prefer to not give them the root |
| 23 |
>> password so they can su -... |
| 24 |
> |
| 25 |
> The sudo command allows commands to be executed *as though they were root*. |
| 26 |
> |
| 27 |
> 'sudo su -' would work. So would 'sudo mv src dst'. |
| 28 |
> |
| 29 |
> So, incidentally, would 'sudo passwd root'... |
| 30 |
> |
| 31 |
|
| 32 |
For file editing alone, you can allow rights to sudoedit, for example: |
| 33 |
%sudoroot sudoedit |
| 34 |
|
| 35 |
This allows sudoroot members to execute `sudoedit $file` which starts an |
| 36 |
editor (defined via environment variable EDITOR) with the file in a save |
| 37 |
fashion (similar to visudo). But you also have to restrict the editors |
| 38 |
because most of them are able to spawn a shell (which would then have |
| 39 |
root rights). Restricted editors like `rnano` or `rvim` circumvent this |
| 40 |
issue. To do this, set something like this in your sudoers file: |
| 41 |
editor=rnano:rvim |
| 42 |
|
| 43 |
You should probably also restrict which files can be edited (not |
| 44 |
/etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this |
| 45 |
with globs. For example: |
| 46 |
%sudoroot sudoedit /var/www/* |
| 47 |
|
| 48 |
Hope this helps, |
| 49 |
Florian Philipp |
Archives