1 |
Am 20.12.2011 16:13, schrieb Michael Mol: |
2 |
> On Tue, Dec 20, 2011 at 10:04 AM, Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
3 |
>> Hi all, |
4 |
>> |
5 |
>> I'm guessing this is a sudo question, but I'm unfamiliar with the nuances of |
6 |
>> sudo (never had to use it before). |
7 |
>> |
8 |
>> I have a new hosted VM server that I want to allow a user to be able to edit |
9 |
>> files owned by root, but without giving them the root password. |
10 |
>> |
11 |
>> I already did: |
12 |
>> |
13 |
>> /usr/sbin/visudo |
14 |
>> |
15 |
>> and added the following line: |
16 |
>> |
17 |
>> %sudoroot ALL=(ALL) ALL |
18 |
>> |
19 |
>> and made sure the user is in this group, but they still get an access denied |
20 |
>> error when trying to mv or cp files that are owned bu root. |
21 |
>> |
22 |
>> What is the best way to do this? I'd really prefer to not give them the root |
23 |
>> password so they can su -... |
24 |
> |
25 |
> The sudo command allows commands to be executed *as though they were root*. |
26 |
> |
27 |
> 'sudo su -' would work. So would 'sudo mv src dst'. |
28 |
> |
29 |
> So, incidentally, would 'sudo passwd root'... |
30 |
> |
31 |
|
32 |
For file editing alone, you can allow rights to sudoedit, for example: |
33 |
%sudoroot sudoedit |
34 |
|
35 |
This allows sudoroot members to execute `sudoedit $file` which starts an |
36 |
editor (defined via environment variable EDITOR) with the file in a save |
37 |
fashion (similar to visudo). But you also have to restrict the editors |
38 |
because most of them are able to spawn a shell (which would then have |
39 |
root rights). Restricted editors like `rnano` or `rvim` circumvent this |
40 |
issue. To do this, set something like this in your sudoers file: |
41 |
editor=rnano:rvim |
42 |
|
43 |
You should probably also restrict which files can be edited (not |
44 |
/etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this |
45 |
with globs. For example: |
46 |
%sudoroot sudoedit /var/www/* |
47 |
|
48 |
Hope this helps, |
49 |
Florian Philipp |