William R Ward <[EMAIL PROTECTED]> writes: > Is there any kind of wrapper that can be used to allow sudo to grant > editing access to only one file? I am thinking of something similar > to vipw or visudo, but with security in mind; following this basic > algorithm: > > 1. Using user privileges, Copy the desired file to a temp file owned > by the real user. > 2. Using user privileges, Edit the temp file. > 3. Using root privileges, copy the temp file to the final location.
People have mentioned that nvi and vim have "secure modes" but there is still the risk of running a program that really wasn't designed with modern security issues in mind. Also, for people who don't like to use vi, or who prefer a different version of vi than the one that has the best "secure mode", it wouldn't work. It would be better if it was /etc/alternatives/editor rather than nvi or vim. This *is* Debian we're talking about :-) Since the editing can be done with normal user privileges (assuming the source file is readable, and even that can be got around), any editor could be used. Trouble is, that doesn't work with sudo. What I think is needed is a new program that is "sudo-aware" (probably linked with many of sudo's object files), uses /etc/sudoers for permission, etc. but uses $EDITOR or /etc/alternatives or whatever to choose the actual program for editing. Even emacsclient/gnuclient could do the trick. The only part where root privs are needed is *installing* the edited file. It'd be best to limit the root privs to where they are actually needed. --Bill. -- William R Ward [EMAIL PROTECTED] http://www.wards.net/~bill/ ----------------------------------------------------------------------------- If you're not part of the solution, you're part of the precipitate. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
