On 02/21/2015 01:35 AM, Ulrich Mueller wrote: > Personally, I think that controlling who is allowed to run certain > types of applications via group membership is a great idea. We > should introduce that approach for other applications too. How > about an "editors" group? Text editors are potentially dangerous > because they allow users to modify files. Therefore, the system > administrator should add only trusted users to the "editors" group > so they can run programs like emacs, nano, or vim from the > app-editors category. >
Protect the permissions on the files, not the editors - there's always another way to get content into a file if you have write permission to it. If you try to do that with a g+xo-x, then you're going to have to do the same for every single command that can put output in a file (sed, curl, wget, heck, anything that can be piped, every shell), and then your system doesn't even need users anymore, because no user can do anything at all for fear they might write to a file!
