[sudo-users] consultatio about edition for files
federico montaldo
fmontaldo3 at gmail.com
Mon May 12 09:20:49 MDT 2014
HI todd,
Thanks for your repply. If i put this entries in sudo:
Cmnd_Alias ADMBKUP /usr/bin/dsmc,\
/bin/vi /opt/tivoli/tsm/client/ba/bin/dsm.sys,\
/bin/vi /opt/tivoli/tsm/client/ba/bin/dsm.opt,\
/bin/vi /tsmlogs/logs/dsmerror.log,\
/bin/vi /tsmlogs/logs/dsmsched.log,\
/sbin/initctl start dsm-sched
But when I want to add the line as an example that you passme. Sudo
reply with an error in the first line of the Cmnd_Alias.
On Mon, May 12, 2014 at 12:11 PM, Todd C. Miller
<Todd.Miller at courtesan.com> wrote:
> The way you are trying to do this is not secure as the user will
> be able to start a shell from /bin/vi and run any command as root.
>
> This is what "sudoedit" is for. E.g.
>
> %admbackup ALL = sudoedit /opt/tivoli/tsm/client/oracle/bin64/*.opt
>
> would allow users in group admbackup to run:
>
> $ sudoedit /opt/tivoli/tsm/client/oracle/bin64/*.opt
>
> the editor will run as the user (not root) and after the edit is
> complete, sudo will copy the edited file back to the original path.
>
> Note that for sudoedit rules you should not use a fully-qualified
> path, just "sudoedit".
>
> - todd
More information about the sudo-users
mailing list