On Sunday 12 November 2006 06:29, Peter Volkov (pva) wrote: > On Sun, 2006-11-12 at 05:54 -0500, Mike Frysinger wrote: > > in the example usages you cited, people where using `sudo` to just > > avoid running `su -` first ... in other words, their sudo was > > unlimited ... updating the sudoers file to allow EDITOR via env_keep > > would work fine for them > > > > in that scenario, running any app via EDITOR is not a concern as they > > already have the ability to run any command > > That is right. And I've already raised concerns about this approach in > my mail: > http://thread.gmane.org/gmane.linux.gentoo.devel/44218/focus=44238
i dont see you discussing this approach at all > Do you know any way *how* to specify "safe" editors list inside sudoers? trying to maintain such a list is pointless as there will always be someone who likes to use some editor which is not specified in the list ... to answer your question though, i dont believe there is a way in sudoers to say "this env var may only contain XXX list of values" > I've spent some time and did not found how can I force sudo to edit > files with only known editors inside EDITOR. env_keep just keep env > variable and does not allow to specify "safe" editors list. I suppose > that this is impossible. i think you're confusing situations here ... trying to edit files should be done with `sudo -e` as that will use the user's EDITOR env var ... running `sudo crontab -e` is a different scenario as only crontab knows about the editing as it happens indirectly if you have the ability to edit root's crontab however, then you have full access to the machine ... that means you should be using env_keep in the sudoers file for the EDITOR var -mike
pgpZfG2vBdUev.pgp
Description: PGP signature
