On Tue, Dec 20, 2011 at 11:51:11AM -0500, Tanstaafl wrote
> On 2011-12-20 10:13 AM, Michael Mol <mike...@gmail.com> wrote:
> > So, incidentally, would 'sudo passwd root'...
> 
> Ouch... any way to avoid that?
> 
> I guess the best way would be to simply give them access to the commands 
> they need...
> 
> I'll look into that...

  Howsabout in sudoers giving them the right to execute 2 commands...

cat /etc/whatever > scratchfile (this one may not be necessary)
cat scratchfile > /etc/whatever

  The first command copies the contents of the file to whatever
directory the user is in.  He can work on the copy using his regular
privileges.  Note that I'm assuming the user does not have read
privileges on the file.  If he does have read privileges, then the first
command does not require sudoers.

  At the last step, he can send the finished copy back to the
original file.  The sequence the user will have to follow is, logged in
as regular user...

1a) If he does *NOT* have read prileges to /etc/whatever
touch scratchfile
sudo cat /etc/whatever > scratchfile

1b) If he *DOES* have read prileges to /etc/whatever
cp /etc/whatever scratchfile


2) edit scratchfile *LOCALLY* with his favourite editor.  No need to
worry about restricting an editor.

3) sudo cat scratchfile > /etc/whatever

Note the use of "cat", rather than "cp", when using sudo.  "cp" will
copy the file attributes, including the fact that it's owned by the user
doing the copying, e.g. sudo (as root) copies the file and it's owned by
root (oops).  Ditto for "cat" when redirected *TO A NEW FILE*.  "touch"
guarantees that the file will exist, and get overwritten by the content
of /etc/whatever, but still retaining the fact that it's owned by the
local user.

If local user has read access to /etc/whatever, that makes things
easier.  When he does "cp" as local user, the resulting file is owned by
hin.  Edit at liesure, and send the result back with "cat".

-- 
Walter Dnes <waltd...@waltdnes.org>

Reply via email to