[sudo-users] limit editing files to one directory only?

donald.ritchey at exeloncorp.com donald.ritchey at exeloncorp.com
Wed Aug 16 11:03:52 EDT 2006

I suggest you combine the approaches listed below, but with a twist.

1.  Ensure that all files in the Wiki that need to edited are group
'web' and are writeable through the group permissions.

2.  In your sudo script, ensure that the files are located in the wiki
directories and do not exec the editor without a successful check.

3.  In the your script, sudo via a restricted user (that belongs only to
the 'web' group) to exec the editor (something like:

	'webedit:*:UID:GID for web:Wiki Editing

filling in the appropriate IDs for your system and making sure the user
ID is set to a restricted shell).

This way you use the principle of "least privilege" to get the desired
results.  The restricted user can only write to its own files (if you
are careful, there aren't any) and to files in group 'web'.  Check to
make sure that only the intended set of files are owned by group 'web'
and you should be relatively safe.

Best wishes,

Don Ritchey
System Administrator
Exelon Corporation

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Ladner, Eric
Sent: Wednesday, August 16, 2006 8:43 AM
To: juan manuel fangio; sudo-users at sudo.ws
Subject: Re: [sudo-users] limit editing files to one directory only?

Giving somebody "vi" through sudo is dangerous due to the shell
integration inside vi.  However, there is a restricted mode in vim (not
vi, but vim - http://www.vim.org) call rvim that won't allow shell
interaction (just straight editing).  But...  Rvim will allow you to
open a file and write the contents out to another file (rvim
/home/wiki/somefile.php, change the file, then :w!/etc/passwd)

Out of curiosity, does the system this is located on support acls?  Acls
are kind of hit and miss sometimes because not all shell commands play
nice with the extra fluff in the inodes to support acls, but if your
system has good acl support, that might be the way to go.

Having said all that, it wouildn't be impossible to write a wrapper
script that checks to see if the files being edited are in that
directory and won't kick off the vi if they are not (checking $PWD and
the passed in file names before calling vi), but without the restricted
vi (rvim) mentioned above, anybody that's worth his salt in vi could
easily edit any file on the system once inside vi.  It looks like with
rvim or straight vi, this would be very dangerous, though.

Like this:

$ sudo vi-wrapper /home/user/wiki/file.php
(inside vi)
(editing and hacking here)


-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of juan manuel
Sent: Tuesday, August 15, 2006 10:51 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] limit editing files to one directory only?

I am wondering if it is possible to restrict one user's privileges so
that he can only edit text (PHP) files in one directory tree.

Here's my situation:
- Three users on a webserver; Bill, Fred and John
- Bill and Fred are admins in the wheel group and have full root
capabilities via sudo:
    %wheel  ALL=(ALL) ALL
- Bill and Fred are members of the 'web' group
- Webserver documents are all group-owned by web. E.G.:
    [Bill at webserver html]$ ls -l
    total 11056
    drwxrwsr-x   3 Bill  web    4096 Aug 14 22:40 blah/
    drwxrwxr-x  17 Fred  web    4096 Sep 14  2005 some_app/
    -rw-rw-r--   1 Fred  web     116 Aug 14 22:09
    -rw-rw-r--   1 Bill  web     116 Aug  8 16:30 index.php
    drwxrwsr-x   3 Bill  web    4096 Feb 13  2006 podcasts/
    -rw-rw-r--   1 Fred  web      16 Aug  9 16:17
    drwxrwsr-x  15 Fred  web    4096 Aug 15 11:01 wiki/

- John wants a wiki
- John wants to modify certain visual elements of the wiki
- John is great guy but, as a rule, Bill and Fred don't like to give
people enough rope to hang themselves on production servers

I have tried a couple of things but none seem to work. It seems that I
can limit John to ALL commands in the wiki directory, or I can limit him
to /usr/bin/vim as a member of the web group. I can't seem to limit him
to /usr/bin/vim as a member of the web group for only those files in
wiki/ (and its subdirectories).

What is the best way to allow John the ability to edit, and only edit,
just those files located in the directory wiki/ and below?


CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s). The information
contained in this message may be private and confidential, and may also
be subject to the work product doctrine. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.  

sudo-users mailing list <sudo-users at sudo.ws> For list information,
options, or to unsubscribe, visit:

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

This e-mail and any of its attachments may contain Exelon
Corporation proprietary information, which is privileged,
confidential, or subject to copyright belonging to the Exelon
Corporation family of Companies.
This e-mail is intended solely for the use of the individual or
entity to which it is addressed.  If you are not the intended
recipient of this e-mail, you are hereby notified that any
dissemination, distribution, copying, or action taken in relation
to the contents of and attachments to this e-mail is strictly
prohibited and may be unlawful.  If you have received this e-mail
in error, please notify the sender immediately and permanently
delete the original and any copy of this e-mail and any printout.
Thank You.

More information about the sudo-users mailing list