[sudo-users] sudoedit restrict allowed file changes
Grant Taylor
gtaylor at tnetconsulting.net
Thu Mar 26 14:50:15 MDT 2020
On 3/26/20 8:14 AM, LE BOUTER Leo wrote:
> Hello,
Hi,
> Is there a way one can restrict the changes that are allowed in the
> configuration file?
Not that I'm aware of.
Remember that sudoedit is a wrapper of sorts that uses sudo privileges
to copy the protected file to a temporary file, launches the users
default $EDITOR / $VISUAL against said temporary file, and then copies
said temporary file back in place if changes made.
I'm not aware of sudoedit having any option to apply any checks against
the temporary file.
> For example, changes could be passed through a regex, or an arbitrary
> validation script, before replace.
Given the complexity of sudoers syntax, and regular expressions
(independent of implementation), I would be loath to ask sudo to sanity
check file contents.
> Also maybe giving up on sudoedit and creating a shell script that
> performs the required changes and allowing access through sudo is the
> solution here? Though I'm also worried about the security of shell
> scripts themselves.
I think that sudoedit is likely a non-starter for what you want.
I think that you are probably looking at something, other than
sudo(edit), to do the sanity checking of the temporary file, and then
conditionally replace the target file with the temporary file.
> Please advice,
The other thing that I see done for things like this is some sort of
approved config management where your user submits changes for review,
and then said changes are automatically applied once proper approvals
are given.
--
Grant. . . .
unix || die
More information about the sudo-users
mailing list