idea : suedit

[William R. Ward]

I'm new here, so forgive me if this has been discussed before.  I have
an idea to present for a new feature for sudo to facilitate editing
system configuration files.  The idea came out of a discussion thread
on the debian security mailing list.

One mistake that naive system administrators often make is to grant
sudo access for editing certain files, such as "vi /etc/aliases".  The
trouble with this is that the users can then use the editor's powerful
file manipulation (:e) and shell escape capabilities (:!) to do things
that the sudoers file doesn't authorize.

To remedy this, I would like to propose a new component to the sudo
package, which I'm calling "suedit".  This would work according to the
following algorithm:

(using root privileges)
  Copy the desired file to /tmp and make it owned by the user
(using non-root privileges)
  Edit that file using $VISUAL or $EDITOR
(using root privileges)
  Install the /tmp file into the desired location and delete it.

The behavior would resemble the "vipw" or "visudo" commands, except
that the editing is done without root access.  It not only affords a
way to give users the ability to edit certain files securely while
restricting their access to other files, it also adds a file locking
feature and better accountability.

Why make this part of sudo itself?  Because of the sudoers file.  One
could write a couple of shell scripts to implement this, but then the
sudoers file would have some rather cryptic "cp" entries which would
be difficult to maintain and thus prone to error.  Adding Edit_Alias
entries to /etc/sudoers that would clearly specify which files may be
edited would be very easy to maintain.

--Bill.

-- 
William R Ward            bill at wards.net          http://www.wards.net/~bill/
-----------------------------------------------------------------------------
     If you're not part of the solution, you're part of the precipitate.