| 1 |
Am 21.12.2011 06:55, schrieb Walter Dnes: |
| 2 |
> On Tue, Dec 20, 2011 at 11:51:11AM -0500, Tanstaafl wrote |
| 3 |
>> On 2011-12-20 10:13 AM, Michael Mol <mikemol@×××××.com> wrote: |
| 4 |
>>> So, incidentally, would 'sudo passwd root'... |
| 5 |
>> |
| 6 |
>> Ouch... any way to avoid that? |
| 7 |
>> |
| 8 |
>> I guess the best way would be to simply give them access to the commands |
| 9 |
>> they need... |
| 10 |
>> |
| 11 |
>> I'll look into that... |
| 12 |
> |
| 13 |
> Howsabout in sudoers giving them the right to execute 2 commands... |
| 14 |
> |
| 15 |
> cat /etc/whatever > scratchfile (this one may not be necessary) |
| 16 |
> cat scratchfile > /etc/whatever |
| 17 |
> |
| 18 |
|
| 19 |
That doesn't work because redirection is not done by the sudoed process |
| 20 |
but by the calling shell. You need to do something like this: |
| 21 |
/bin/sh -c 'cat scratchfile > /etc/whatever' |
| 22 |
|
| 23 |
> The first command copies the contents of the file to whatever |
| 24 |
> directory the user is in. He can work on the copy using his regular |
| 25 |
> privileges. Note that I'm assuming the user does not have read |
| 26 |
> privileges on the file. If he does have read privileges, then the first |
| 27 |
> command does not require sudoers. |
| 28 |
> |
| 29 |
> At the last step, he can send the finished copy back to the |
| 30 |
> original file. The sequence the user will have to follow is, logged in |
| 31 |
> as regular user... |
| 32 |
> |
| 33 |
> 1a) If he does *NOT* have read prileges to /etc/whatever |
| 34 |
> touch scratchfile |
| 35 |
> sudo cat /etc/whatever > scratchfile |
| 36 |
> |
| 37 |
> 1b) If he *DOES* have read prileges to /etc/whatever |
| 38 |
> cp /etc/whatever scratchfile |
| 39 |
> |
| 40 |
> |
| 41 |
> 2) edit scratchfile *LOCALLY* with his favourite editor. No need to |
| 42 |
> worry about restricting an editor. |
| 43 |
> |
| 44 |
> 3) sudo cat scratchfile > /etc/whatever |
| 45 |
> |
| 46 |
|
| 47 |
I just double checked my assumption that sudoedit uses $EDITOR with root |
| 48 |
access. While the man page doesn't state it, it seems that the editor is |
| 49 |
called with normal user rights and sudo handles exactly the same |
| 50 |
sequence you outlined above (using a temporary file owned by |
| 51 |
$user:$user, chmod 0600). Therefore it seems you can safely use a normal |
| 52 |
editor with sudoedit. Sorry for the confusion. |
| 53 |
|
| 54 |
> Note the use of "cat", rather than "cp", when using sudo. "cp" will |
| 55 |
> copy the file attributes, including the fact that it's owned by the user |
| 56 |
> doing the copying, e.g. sudo (as root) copies the file and it's owned by |
| 57 |
> root (oops). Ditto for "cat" when redirected *TO A NEW FILE*. "touch" |
| 58 |
> guarantees that the file will exist, and get overwritten by the content |
| 59 |
> of /etc/whatever, but still retaining the fact that it's owned by the |
| 60 |
> local user. |
| 61 |
> |
| 62 |
|
| 63 |
I think you can get the same result with `cp --no-preserve=all` but |
| 64 |
probably with higher performance (not that is makes a difference with |
| 65 |
config files). |
| 66 |
|
| 67 |
> If local user has read access to /etc/whatever, that makes things |
| 68 |
> easier. When he does "cp" as local user, the resulting file is owned by |
| 69 |
> hin. Edit at liesure, and send the result back with "cat". |
| 70 |
> |
Archives