On Thu, Nov 29, 2001 at 02:45:08PM -0800, William R Ward wrote: > > A lazy sysadmin, not thinking through the ramifications, might put > things like "/usr/bin/vi /etc/aliases" in the sudoers file, thinking > that it limits access. But of course, vi has the ":e" command...
Thats only if they arn't thinking....If they were really smart they might run :!/bin/bash...then they have root shell access to the entire box...:-) > > Is there any kind of wrapper that can be used to allow sudo to grant > editing access to only one file? I am thinking of something similar > to vipw or visudo, but with security in mind; following this basic > algorithm: > > 1. Using user privileges, Copy the desired file to a temp file owned > by the real user. > 2. Using user privileges, Edit the temp file. > 3. Using root privileges, copy the temp file to the final location. > > Does such a beast exist? If not, I think it should. It should > probably obey the /etc/alternatives preferences for editors, too. > > --Bill. > > -- > William R Ward [EMAIL PROTECTED] > http://www.wards.net/~bill/ > ----------------------------------------------------------------------------- > If you're not part of the solution, you're part of the precipitate. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
