stopping shell execution from with vi editor as root

Rich Dempsey dempsey at kodak.com
Fri Apr 12 09:33:53 EDT 2002


I see two approaches to this.

One is to have the files belong to a limited group, with write access
granted to the group, and with the specific users belonging to the group.
If you include some sort of source control, such as SCCS or RCS, or
something more modern, this makes things pretty clean.  Oh, the containing
directory should have the group sticky bit set and belong to the group
so the files continue to be owned by that group.

An alternative is to grant the users the ability to copy on top of the
files in question, perhaps through the use of an appropriate script to
control access.  They edit a private copy and then replace the public
copy with the private copy.

Rich


At 12:49 PM 04/12/2002 +0100, Thomas Robinson wrote:
>Hi,
>
>I'd like to give permissions to some users so that they can edit
>specific files as root. Unfortunately in my simple set up they can also
>execute the :! command and gain root shell access. Is there any way to
>defeat this or should I implement a different method to enable users to
>edit files as root?
>
>My config looks roughly like the following:
>
>Cmnd_Alias         ICANEDIT            /bin/vi /etc/some.conf
>
>auser               myhost             = (root) ICANEDIT
>
>Regards
>
>Tom
>
>Thomas Robinson
>Ehbas Ltd
>T: 01273 234 665
>F: 01273 704 499
>
>
>This e-mail message is meant solely for the person or organisation to whom it is adressed. The message may contain personal or confidential information, or information that is not public in nature. Ehbas Ltd accepts no responsibility for message content and possible attachments that are unlawful or of questionable decency. Further dissemination, publication or duplication of this message is strictly prohibited if the person or organisation receiving this message is not the intended recipient. In the event that you are not the intended recipient, we request you to refrain from using the content and to immediately inform the sender of the error by returning the message. Thank you for your co-operation. 
>____________________________________________________________ 
>sudo-users mailing list <sudo-users at sudo.ws>
>For list information, options, or to unsubscribe, visit:
>http://www.sudo.ws/mailman/listinfo/sudo-users

--

Richard C. Dempsey              email: dempsey at kodak.com
Kodak.com                       pager: 585-975-3539
3rd Floor, Bldg 16, KO          phone: 585-781-5232
Eastman Kodak Company
Rochester, NY 14650-0706




More information about the sudo-users mailing list