[sudo-users] consultatio about edition for files
Todd C. Miller
Todd.Miller at courtesan.com
Mon May 12 09:11:38 MDT 2014
The way you are trying to do this is not secure as the user will
be able to start a shell from /bin/vi and run any command as root.
This is what "sudoedit" is for. E.g.
%admbackup ALL = sudoedit /opt/tivoli/tsm/client/oracle/bin64/*.opt
would allow users in group admbackup to run:
$ sudoedit /opt/tivoli/tsm/client/oracle/bin64/*.opt
the editor will run as the user (not root) and after the edit is
complete, sudo will copy the edited file back to the original path.
Note that for sudoedit rules you should not use a fully-qualified
path, just "sudoedit".
- todd
More information about the sudo-users
mailing list