On Fri, May 25, 2012 at 6:31 AM, Slavko <li...@slavino.sk> wrote: > Dňa Fri, 25 May 2012 10:13:05 +0200 Denis Witt > <denis.w...@concepts-and-training.de> napísal:
>> * editing of php.ini > > it is possible to set in /etc/sudoers whole command line (with file name), > but see bellow. Try tweak unix group memberships for this. >> >> * some editors > > here can be security problem, because some of the editors can run the > shell, or allow to open more files. If you allow open editor with high > privileges, then these privileges can be used to open other files or > execute commands too. I found the sudoedit command, try read more about > it, but the editor's problem is still here. Do you need to be root to edit php.ini and does your partner need to edit root-editable-only files? >> * apt-get install but not remove > > IMO this is possible by setting whole command "apt-get options *" in > sudoers, but i never tried this. I have on one my server this: > > User_Alias EJABBER = snmp, www-data > ... > EJABBER ALL=(ejabberd) NOPASSWD: /usr/sbin/ejabberdctl stats * > > by this line (i hope) only snmp and www-data can run > "/usr/sbin/ejabberdctl stats *" command. The asterisk can be replaced by > any other option (package name for you). But be careful with apt-get, > because there can be more than one (install, remove, ...) command can be > used in one line... Perhaps some shell script for this, which will accept > only package names? You can create a "/usr/local/bin/a-g-i.sh" wrapper script if [ x"$*" = x ]; then echo "USAGE: ..." else /usr/bin/apt-get install -- "$@" fi and give your partner (if you're comfortable given that company installation rights!) sudo access to it. They'll also need to use "apt-get update". -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=Sx=onwg+-hjr3hxx1e3pu1f_zdougpubd-hzms16eu...@mail.gmail.com
