On 12/22/2011 05:44 PM, Tanstaafl wrote:
On 2011-12-20 12:19 PM, Nikos Chantziaras <rea...@arcor.de> wrote:
If you allow someone to edit root owned files, you're practically giving
him root access.
Well, yeah, but only on those defined files...
root access is global. You can't limit it. root is root, the all
powerful Unix being. Period :-)
So the fact that he doesn't know the root password is totally
irrelevant; he doesn't even need the password anymore to gain root
access since he already has that access.
But he only has root access in explicitly defined, non-system, non
critical directories...
Again, root can have no limits.
So you might want to rethink the way you want to allow him to edit those
files.
I *want* him to be able to do whatever he wants in /var/www (and a few
other non critical directories)...
Then you put the files in a special group and make them g+w, and add the
affected users to that group. Then they will able to write to those
files. If you want to give them write access to a whole directory, you
put the directory in the group and make it g+w. This is how it's
traditionally been done in Unix for ages, and it's extremely easy to set up.
