[sudo-users] sudoedit restrict allowed file changes

[Grant Taylor]

On 3/26/20 8:14 AM, LE BOUTER Leo wrote:
> Hello,

Hi,

> Is there a way one can restrict the changes that are allowed in the 
> configuration file?

Not that I'm aware of.

Remember that sudoedit is a wrapper of sorts that uses sudo privileges 
to copy the protected file to a temporary file, launches the users 
default $EDITOR / $VISUAL against said temporary file, and then copies 
said temporary file back in place if changes made.

I'm not aware of sudoedit having any option to apply any checks against 
the temporary file.

> For example, changes could be passed through a regex, or an arbitrary 
> validation script, before replace.

Given the complexity of sudoers syntax, and regular expressions 
(independent of implementation), I would be loath to ask sudo to sanity 
check file contents.

> Also maybe giving up on sudoedit and creating a shell script that 
> performs the required changes and allowing access through sudo is the 
> solution here? Though I'm also worried about the security of shell 
> scripts themselves.

I think that sudoedit is likely a non-starter for what you want.

I think that you are probably looking at something, other than 
sudo(edit), to do the sanity checking of the temporary file, and then 
conditionally replace the target file with the temporary file.

> Please advice,

The other thing that I see done for things like this is some sort of 
approved config management where your user submits changes for review, 
and then said changes are automatically applied once proper approvals 
are given.



-- 
Grant. . . .
unix || die