[sudo-users] sudo to wasadmin minus some commands....

Michael Potter pottmi at gmail.com
Mon Jan 29 21:02:26 EST 2007 

I can not think of anything easy to do...
Once someone logs in as the user (no matter how they got there), it
will be difficult to protect files owned by that user.

Let me restate the problem more generically incase I am
misunderstanding what you want to do:
you want to disallow a user from editing they own if that user was
logged in via:
"sudo su - username", and allow them to edit if they logged in anyother way.

Here is a little known unix privilege trick that you can probably win
a sucker bet on:

----rwxrwx  username groupname

username will not be able to edit that file without changing it's
privilege, even tho he belongs to groupname.

proof on mac osx 10.4.8:
-----------------
localhost:~/tmp pottmi$ echo "sample data" >testfile
localhost:~/tmp pottmi$ chmod u-rwx testfile
localhost:~/tmp pottmi$ chmod go+rwx testfile
localhost:~/tmp pottmi$ cat testfile
cat: testfile: Permission denied
localhost:~/tmp pottmi$ ls -l testfile
----rwxrwx   1 pottmi  pottmi  12 Jan 29 19:56 testfile
localhost:~/tmp pottmi$
----------------

That does not really protect the file because all username has to do
is change the privileges, but maybe that trick will help someone think
of a solution.

Another solution ( and you probably already thought of it), is to make
the privileged files owned by a completely different user and then
have the privileged user edit those via sudoedit.

I hope that helps.
-- 
Michael Potter

On 1/29/07, Johnson, Kenneth R. <KRJohnson at aaamichigan.com> wrote:
> We running AIX 5.3, I want to allow a few users to sudo to wasadmin (and
> wasadmin owns everything under "/usr/WebSphere/AppServer"), yet I do
> want them to be able to update certain config files in that filesystem
> (i.e. in certain directories under abovementioned structure), is there a
> way to set that up in the sudoers file
> <http://www.tek-tips.com/viewthread.cfm?qid=3D1327851&page=3D1##> ?
>
> Thanx,
>
> Ken Johnson
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list