[sudo-users] limit editing files to one directory only?
Ladner, Eric (Eric.Ladner)
Eric.Ladner at chevron.com
Wed Aug 16 09:43:04 EDT 2006
Giving somebody "vi" through sudo is dangerous due to the shell
integration inside vi. However, there is a restricted mode in vim (not
vi, but vim - http://www.vim.org) call rvim that won't allow shell
interaction (just straight editing). But... Rvim will allow you to
open a file and write the contents out to another file (rvim
/home/wiki/somefile.php, change the file, then :w!/etc/passwd)
Out of curiosity, does the system this is located on support acls? Acls
are kind of hit and miss sometimes because not all shell commands play
nice with the extra fluff in the inodes to support acls, but if your
system has good acl support, that might be the way to go.
Having said all that, it wouildn't be impossible to write a wrapper
script that checks to see if the files being edited are in that
directory and won't kick off the vi if they are not (checking $PWD and
the passed in file names before calling vi), but without the restricted
vi (rvim) mentioned above, anybody that's worth his salt in vi could
easily edit any file on the system once inside vi. It looks like with
rvim or straight vi, this would be very dangerous, though.
Like this:
$ sudo vi-wrapper /home/user/wiki/file.php
(inside vi)
:1,$d
:r/etc/passwd
(editing and hacking here)
:w!/etc/passwd
Eric
-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of juan manuel
fangio
Sent: Tuesday, August 15, 2006 10:51 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] limit editing files to one directory only?
I am wondering if it is possible to restrict one user's privileges so
that he can only edit text (PHP) files in one directory tree.
Here's my situation:
- Three users on a webserver; Bill, Fred and John
- Bill and Fred are admins in the wheel group and have full root
capabilities via sudo:
%wheel ALL=(ALL) ALL
- Bill and Fred are members of the 'web' group
- Webserver documents are all group-owned by web. E.G.:
[Bill at webserver html]$ ls -l
total 11056
drwxrwsr-x 3 Bill web 4096 Aug 14 22:40 blah/
drwxrwxr-x 17 Fred web 4096 Sep 14 2005 some_app/
-rw-rw-r-- 1 Fred web 116 Aug 14 22:09
index.html
-rw-rw-r-- 1 Bill web 116 Aug 8 16:30 index.php
drwxrwsr-x 3 Bill web 4096 Feb 13 2006 podcasts/
-rw-rw-r-- 1 Fred web 16 Aug 9 16:17
robots.txt
drwxrwsr-x 15 Fred web 4096 Aug 15 11:01 wiki/
- John wants a wiki
- John wants to modify certain visual elements of the wiki
- John is great guy but, as a rule, Bill and Fred don't like to give
people enough rope to hang themselves on production servers
I have tried a couple of things but none seem to work. It seems that I
can limit John to ALL commands in the wiki directory, or I can limit him
to /usr/bin/vim as a member of the web group. I can't seem to limit him
to /usr/bin/vim as a member of the web group for only those files in
wiki/ (and its subdirectories).
What is the best way to allow John the ability to edit, and only edit,
just those files located in the directory wiki/ and below?
Thanks!
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s). The information
contained in this message may be private and confidential, and may also
be subject to the work product doctrine. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws> For list information,
options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list