Am 20.12.2011 16:13, schrieb Michael Mol: > On Tue, Dec 20, 2011 at 10:04 AM, Tanstaafl <tansta...@libertytrek.org> wrote: >> Hi all, >> >> I'm guessing this is a sudo question, but I'm unfamiliar with the nuances of >> sudo (never had to use it before). >> >> I have a new hosted VM server that I want to allow a user to be able to edit >> files owned by root, but without giving them the root password. >> >> I already did: >> >> /usr/sbin/visudo >> >> and added the following line: >> >> %sudoroot ALL=(ALL) ALL >> >> and made sure the user is in this group, but they still get an access denied >> error when trying to mv or cp files that are owned bu root. >> >> What is the best way to do this? I'd really prefer to not give them the root >> password so they can su -... > > The sudo command allows commands to be executed *as though they were root*. > > 'sudo su -' would work. So would 'sudo mv src dst'. > > So, incidentally, would 'sudo passwd root'... >
For file editing alone, you can allow rights to sudoedit, for example: %sudoroot sudoedit This allows sudoroot members to execute `sudoedit $file` which starts an editor (defined via environment variable EDITOR) with the file in a save fashion (similar to visudo). But you also have to restrict the editors because most of them are able to spawn a shell (which would then have root rights). Restricted editors like `rnano` or `rvim` circumvent this issue. To do this, set something like this in your sudoers file: editor=rnano:rvim You should probably also restrict which files can be edited (not /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this with globs. For example: %sudoroot sudoedit /var/www/* Hope this helps, Florian Philipp
signature.asc
Description: OpenPGP digital signature