idea : suedit

Matthew Hannigan mlh at zip.com.au
Fri Dec 14 06:08:55 EST 2001 

I think this idea is good but would be better 
implemented as one of a number of standard 
wrapper commands distributed with sudo.

I'm sure there are others; perhaps some
some should be promoted from the contrib area.

Regards,
	-Matt

On Thu, Dec 13, 2001 at 02:13:34PM -0800, William R. Ward wrote:
> 
> I'm new here, so forgive me if this has been discussed before.  I have
> an idea to present for a new feature for sudo to facilitate editing
> system configuration files.  The idea came out of a discussion thread
> on the debian security mailing list.
> 
> One mistake that naive system administrators often make is to grant
> sudo access for editing certain files, such as "vi /etc/aliases".  The
> trouble with this is that the users can then use the editor's powerful
> file manipulation (:e) and shell escape capabilities (:!) to do things
> that the sudoers file doesn't authorize.
> 
> To remedy this, I would like to propose a new component to the sudo
> package, which I'm calling "suedit".  This would work according to the
> following algorithm:
> 
> (using root privileges)
>   Copy the desired file to /tmp and make it owned by the user
> (using non-root privileges)
>   Edit that file using $VISUAL or $EDITOR
> (using root privileges)
>   Install the /tmp file into the desired location and delete it.
> 
> The behavior would resemble the "vipw" or "visudo" commands, except
> that the editing is done without root access.  It not only affords a
> way to give users the ability to edit certain files securely while
> restricting their access to other files, it also adds a file locking
> feature and better accountability.
> 
> Why make this part of sudo itself?  Because of the sudoers file.  One
> could write a couple of shell scripts to implement this, but then the
> sudoers file would have some rather cryptic "cp" entries which would
> be difficult to maintain and thus prone to error.  Adding Edit_Alias
> entries to /etc/sudoers that would clearly specify which files may be
> edited would be very easy to maintain.
> 
> --Bill.
> 
> -- 
> William R Ward            bill at wards.net          http://www.wards.net/~bill/
> -----------------------------------------------------------------------------
>      If you're not part of the solution, you're part of the precipitate.
> ____________________________________________________________ 
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-workers

More information about the sudo-workers mailing list