[sudo-users] limit editing files to one directory only?

juan manuel fangio jmf at zeus.bwh.harvard.edu
Tue Aug 15 11:50:32 EDT 2006 

I am wondering if it is possible to restrict one user's
privileges so that he can only edit text (PHP) files in one
directory tree.

Here's my situation:
- Three users on a webserver; Bill, Fred and John
- Bill and Fred are admins in the wheel group and have full
root capabilities via sudo:
    %wheel  ALL=(ALL) ALL
- Bill and Fred are members of the 'web' group
- Webserver documents are all group-owned by web. E.G.:
    [Bill at webserver html]$ ls -l
    total 11056
    drwxrwsr-x   3 Bill  web    4096 Aug 14 22:40 blah/
    drwxrwxr-x  17 Fred  web    4096 Sep 14  2005 some_app/
    -rw-rw-r--   1 Fred  web     116 Aug 14 22:09
index.html
    -rw-rw-r--   1 Bill  web     116 Aug  8 16:30 index.php
    drwxrwsr-x   3 Bill  web    4096 Feb 13  2006 podcasts/
    -rw-rw-r--   1 Fred  web      16 Aug  9 16:17
robots.txt
    drwxrwsr-x  15 Fred  web    4096 Aug 15 11:01 wiki/

- John wants a wiki
- John wants to modify certain visual elements of the wiki
- John is great guy but, as a rule, Bill and Fred don't
like to give people enough rope to hang themselves on
production servers

I have tried a couple of things but none seem to work. It
seems that I can limit John to ALL commands in the wiki
directory, or I can limit him to /usr/bin/vim as a member
of the web group. I can't seem to limit him to /usr/bin/vim
as a member of the web group for only those files in wiki/
(and its subdirectories).

What is the best way to allow John the ability to edit, and
only edit, just those files located in the directory wiki/
and below?

Thanks!


CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s). The information contained in this message may be private and confidential, and may also be subject to the work product doctrine. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

More information about the sudo-users mailing list