hi, maybe i misunderstand the intention here, but isn't it pointless to restrict privileges of the editing process of /etc/aliases if you could just as well change root's alias to a program that's run whenever root receives email and, e. g., puts one's most favourite /etc/passwd in place of the original?
regards, uLI On Thu, Nov 29, 2001 at 02:45:08PM -0800 or thereabouts, William R Ward wrote: > A lazy sysadmin, not thinking through the ramifications, might put > things like "/usr/bin/vi /etc/aliases" in the sudoers file, thinking > that it limits access. But of course, vi has the ":e" command... > > Is there any kind of wrapper that can be used to allow sudo to grant > editing access to only one file? I am thinking of something similar > to vipw or visudo, but with security in mind; following this basic > algorithm: > > 1. Using user privileges, Copy the desired file to a temp file owned > by the real user. > 2. Using user privileges, Edit the temp file. > 3. Using root privileges, copy the temp file to the final location.
