[sudo-users] sudoedit restrict allowed file changes

Grant Taylor gtaylor at tnetconsulting.net
Thu Mar 26 19:16:09 MDT 2020

On 3/26/20 3:46 PM, LE BOUTER Leo wrote:
> Hello!


> Well I'd certainly love to have my whole system under versioning 
> with merge requests and codeowners mechanism!  This problem has been 
> hitting me many times over, I hope to figure out something proper 
> and great one day.

I think that's possibly a little bit more extreme than I was thinking.

> I'll sort it out with an unprivileged rsyslog this time, I think. 
> Can't undergo the bigger task of full ansible gitops or something on 
> my system right now.

Something much shorter term you might think about is seeing if rsyslog 
will support include files.  If it will, think about a small script that 
will generate the included files based on parameters your users specify.

That way they can only specify parameters to the script and as such 
can't change things they shouldn't be changing.

You could probably make the script read parametrized input or a request 
file and only act if the parameters / request is syntactically correct 
and acceptable.

Sort of like a templating engine.

> Thanks a lot for the help.

You're welcome.

Grant. . . .
unix || die

More information about the sudo-users mailing list