| 1 |
Am 20.12.2011 18:03, schrieb Tanstaafl: |
| 2 |
> On 2011-12-20 11:00 AM, Florian Philipp <lists@×××××××××××.net> wrote: |
| 3 |
>> You should probably also restrict which files can be edited (not |
| 4 |
>> /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this |
| 5 |
>> with globs. For example: |
| 6 |
>> %sudoroot sudoedit/var/www/* |
| 7 |
> |
| 8 |
> Great, that helps... but... |
| 9 |
> |
| 10 |
> He wants to use nano, so I set this up for nano, but there is one little |
| 11 |
> issue... |
| 12 |
> |
| 13 |
> He sometimes uses different flags with nano (ie, 'nano -wc filename') - |
| 14 |
> is there a way to specify the use with or without flags? I know you can |
| 15 |
> use: |
| 16 |
> |
| 17 |
> /bin/nano -* /etc/apache2/*, |
| 18 |
> |
| 19 |
> But this fails if no flags are specified. |
| 20 |
> |
| 21 |
|
| 22 |
Well, as I've said, using a /normal/ editor doesn't solve the problem |
| 23 |
because you can use nano for opening a shell, thereby escalating your |
| 24 |
privileges. You have to use rnano (or nano -R). This solution is not |
| 25 |
really meant for the luxury of a full blown editor with arbitrary |
| 26 |
arguments and capabilities. rnano doesn't read nanorc files, for |
| 27 |
example. If you cannot agree on a common set of safe flags, you |
| 28 |
shouldn't use sudo for this purpose. |
| 29 |
|
| 30 |
In that case, I recommend Michael's proposed solution of ACLs or |
| 31 |
probably group write access +setgid to the specific directories. |
| 32 |
Alternatively, allow editing outside of the directory and something like |
| 33 |
%sudoroot cp * /etc/apache/* |
| 34 |
so that they can /commit/ their changes instead of editing directly. |
| 35 |
|
| 36 |
Regards, |
| 37 |
Florian Philipp |
Archives