[sudo-users] limit editing files to one directory only?

Ladner, Eric (Eric.Ladner) Eric.Ladner at chevron.com
Wed Aug 16 09:43:04 EDT 2006

Giving somebody "vi" through sudo is dangerous due to the shell
integration inside vi.  However, there is a restricted mode in vim (not
vi, but vim - http://www.vim.org) call rvim that won't allow shell
interaction (just straight editing).  But...  Rvim will allow you to
open a file and write the contents out to another file (rvim
/home/wiki/somefile.php, change the file, then :w!/etc/passwd)

Out of curiosity, does the system this is located on support acls?  Acls
are kind of hit and miss sometimes because not all shell commands play
nice with the extra fluff in the inodes to support acls, but if your
system has good acl support, that might be the way to go.

Having said all that, it wouildn't be impossible to write a wrapper
script that checks to see if the files being edited are in that
directory and won't kick off the vi if they are not (checking $PWD and
the passed in file names before calling vi), but without the restricted
vi (rvim) mentioned above, anybody that's worth his salt in vi could
easily edit any file on the system once inside vi.  It looks like with
rvim or straight vi, this would be very dangerous, though.

Like this:

$ sudo vi-wrapper /home/user/wiki/file.php
(inside vi)
(editing and hacking here)


-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of juan manuel
Sent: Tuesday, August 15, 2006 10:51 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] limit editing files to one directory only?

I am wondering if it is possible to restrict one user's privileges so
that he can only edit text (PHP) files in one directory tree.

Here's my situation:
- Three users on a webserver; Bill, Fred and John
- Bill and Fred are admins in the wheel group and have full root
capabilities via sudo:
    %wheel  ALL=(ALL) ALL
- Bill and Fred are members of the 'web' group
- Webserver documents are all group-owned by web. E.G.:
    [Bill at webserver html]$ ls -l
    total 11056
    drwxrwsr-x   3 Bill  web    4096 Aug 14 22:40 blah/
    drwxrwxr-x  17 Fred  web    4096 Sep 14  2005 some_app/
    -rw-rw-r--   1 Fred  web     116 Aug 14 22:09
    -rw-rw-r--   1 Bill  web     116 Aug  8 16:30 index.php
    drwxrwsr-x   3 Bill  web    4096 Feb 13  2006 podcasts/
    -rw-rw-r--   1 Fred  web      16 Aug  9 16:17
    drwxrwsr-x  15 Fred  web    4096 Aug 15 11:01 wiki/

- John wants a wiki
- John wants to modify certain visual elements of the wiki
- John is great guy but, as a rule, Bill and Fred don't like to give
people enough rope to hang themselves on production servers

I have tried a couple of things but none seem to work. It seems that I
can limit John to ALL commands in the wiki directory, or I can limit him
to /usr/bin/vim as a member of the web group. I can't seem to limit him
to /usr/bin/vim as a member of the web group for only those files in
wiki/ (and its subdirectories).

What is the best way to allow John the ability to edit, and only edit,
just those files located in the directory wiki/ and below?


CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s). The information
contained in this message may be private and confidential, and may also
be subject to the work product doctrine. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.  

sudo-users mailing list <sudo-users at sudo.ws> For list information,
options, or to unsubscribe, visit:

More information about the sudo-users mailing list