Hi, i am not sudo expert, but consider my notes:
by default are all commands disabled. If you enable some command, then other still will be disabled. Dňa Fri, 25 May 2012 10:13:05 +0200 Denis Witt <denis.w...@concepts-and-training.de> napísal: > * editing of php.ini it is possible to set in /etc/sudoers whole command line (with file name), but see bellow. Try tweak unix group memberships for this. > * some editors here can be security problem, because some of the editors can run the shell, or allow to open more files. If you allow open editor with high privileges, then these privileges can be used to open other files or execute commands too. I found the sudoedit command, try read more about it, but the editor's problem is still here. > * apt-get install but not remove IMO this is possible by setting whole command "apt-get options *" in sudoers, but i never tried this. I have on one my server this: User_Alias EJABBER = snmp, www-data ... EJABBER ALL=(ejabberd) NOPASSWD: /usr/sbin/ejabberdctl stats * by this line (i hope) only snmp and www-data can run "/usr/sbin/ejabberdctl stats *" command. The asterisk can be replaced by any other option (package name for you). But be careful with apt-get, because there can be more than one (install, remove, ...) command can be used in one line... Perhaps some shell script for this, which will accept only package names? Some time ago i read sudo manual with nice examples at sudo homepage, try read it. regards -- Slavko http://slavino.sk
signature.asc
Description: PGP signature
