[sudo-users] sudoedit restrict allowed file changes
Shawn McMahon
syberghost at gmail.com
Thu Mar 26 10:20:55 MDT 2020
Another instance of rsyslog can be run as a non-privileged user on a
non-privileged port. This will be more secure than trying to blacklist
config file contents for the privileged instance.
On Thu, Mar 26, 2020 at 10:35 AM LE BOUTER Leo <leo.lebouter-ext at aphp.fr>
wrote:
> Hello,
>
> I am using sudoedit to allow a specific user to edit the configuration of
> rsyslog.
> However, I am worried that some of the configuration parameters of rsyslog
> allows them to gain privileges on the system.
>
> Is there a way one can restrict the changes that are allowed in the
> configuration file?
>
> For example, changes could be passed through a regex, or an arbitrary
> validation script, before replace.
>
> Also maybe giving up on sudoedit and creating a shell script that performs
> the required changes and allowing access through sudo is the solution here?
> Though I'm also worried about the security of shell scripts themselves.
>
> Please advice,
>
> Thanks
>
> Leo Le Bouter
> Ingenieur Securite Infrastructure
> Entrepot de Donnees de Sante (WIND)
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list