Am 20.12.2011 18:03, schrieb Tanstaafl: > On 2011-12-20 11:00 AM, Florian Philipp <li...@binarywings.net> wrote: >> You should probably also restrict which files can be edited (not >> /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this >> with globs. For example: >> %sudoroot sudoedit/var/www/* > > Great, that helps... but... > > He wants to use nano, so I set this up for nano, but there is one little > issue... > > He sometimes uses different flags with nano (ie, 'nano -wc filename') - > is there a way to specify the use with or without flags? I know you can > use: > > /bin/nano -* /etc/apache2/*, > > But this fails if no flags are specified. >
Well, as I've said, using a /normal/ editor doesn't solve the problem because you can use nano for opening a shell, thereby escalating your privileges. You have to use rnano (or nano -R). This solution is not really meant for the luxury of a full blown editor with arbitrary arguments and capabilities. rnano doesn't read nanorc files, for example. If you cannot agree on a common set of safe flags, you shouldn't use sudo for this purpose. In that case, I recommend Michael's proposed solution of ACLs or probably group write access +setgid to the specific directories. Alternatively, allow editing outside of the directory and something like %sudoroot cp * /etc/apache/* so that they can /commit/ their changes instead of editing directly. Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature
