[sudo-users] sudoedit restrict allowed file changes

LE BOUTER Leo leo.lebouter-ext at aphp.fr
Thu Mar 26 08:14:18 MDT 2020


I am using sudoedit to allow a specific user to edit the configuration of rsyslog.
However, I am worried that some of the configuration parameters of rsyslog allows them to gain privileges on the system.

Is there a way one can restrict the changes that are allowed in the configuration file?

For example, changes could be passed through a regex, or an arbitrary validation script, before replace.

Also maybe giving up on sudoedit and creating a shell script that performs the required changes and allowing access through sudo is the solution here?
Though I'm also worried about the security of shell scripts themselves.

Please advice,


Leo Le Bouter
Ingenieur Securite Infrastructure
Entrepot de Donnees de Sante (WIND)

More information about the sudo-users mailing list