1 |
Am 21.12.2011 06:55, schrieb Walter Dnes: |
2 |
> On Tue, Dec 20, 2011 at 11:51:11AM -0500, Tanstaafl wrote |
3 |
>> On 2011-12-20 10:13 AM, Michael Mol <mikemol@×××××.com> wrote: |
4 |
>>> So, incidentally, would 'sudo passwd root'... |
5 |
>> |
6 |
>> Ouch... any way to avoid that? |
7 |
>> |
8 |
>> I guess the best way would be to simply give them access to the commands |
9 |
>> they need... |
10 |
>> |
11 |
>> I'll look into that... |
12 |
> |
13 |
> Howsabout in sudoers giving them the right to execute 2 commands... |
14 |
> |
15 |
> cat /etc/whatever > scratchfile (this one may not be necessary) |
16 |
> cat scratchfile > /etc/whatever |
17 |
> |
18 |
|
19 |
That doesn't work because redirection is not done by the sudoed process |
20 |
but by the calling shell. You need to do something like this: |
21 |
/bin/sh -c 'cat scratchfile > /etc/whatever' |
22 |
|
23 |
> The first command copies the contents of the file to whatever |
24 |
> directory the user is in. He can work on the copy using his regular |
25 |
> privileges. Note that I'm assuming the user does not have read |
26 |
> privileges on the file. If he does have read privileges, then the first |
27 |
> command does not require sudoers. |
28 |
> |
29 |
> At the last step, he can send the finished copy back to the |
30 |
> original file. The sequence the user will have to follow is, logged in |
31 |
> as regular user... |
32 |
> |
33 |
> 1a) If he does *NOT* have read prileges to /etc/whatever |
34 |
> touch scratchfile |
35 |
> sudo cat /etc/whatever > scratchfile |
36 |
> |
37 |
> 1b) If he *DOES* have read prileges to /etc/whatever |
38 |
> cp /etc/whatever scratchfile |
39 |
> |
40 |
> |
41 |
> 2) edit scratchfile *LOCALLY* with his favourite editor. No need to |
42 |
> worry about restricting an editor. |
43 |
> |
44 |
> 3) sudo cat scratchfile > /etc/whatever |
45 |
> |
46 |
|
47 |
I just double checked my assumption that sudoedit uses $EDITOR with root |
48 |
access. While the man page doesn't state it, it seems that the editor is |
49 |
called with normal user rights and sudo handles exactly the same |
50 |
sequence you outlined above (using a temporary file owned by |
51 |
$user:$user, chmod 0600). Therefore it seems you can safely use a normal |
52 |
editor with sudoedit. Sorry for the confusion. |
53 |
|
54 |
> Note the use of "cat", rather than "cp", when using sudo. "cp" will |
55 |
> copy the file attributes, including the fact that it's owned by the user |
56 |
> doing the copying, e.g. sudo (as root) copies the file and it's owned by |
57 |
> root (oops). Ditto for "cat" when redirected *TO A NEW FILE*. "touch" |
58 |
> guarantees that the file will exist, and get overwritten by the content |
59 |
> of /etc/whatever, but still retaining the fact that it's owned by the |
60 |
> local user. |
61 |
> |
62 |
|
63 |
I think you can get the same result with `cp --no-preserve=all` but |
64 |
probably with higher performance (not that is makes a difference with |
65 |
config files). |
66 |
|
67 |
> If local user has read access to /etc/whatever, that makes things |
68 |
> easier. When he does "cp" as local user, the resulting file is owned by |
69 |
> hin. Edit at liesure, and send the result back with "cat". |
70 |
> |