On 12/22/2011 08:53 PM, Tanstaafl wrote:
On 2011-12-22 1:00 PM, Nikos Chantziaras <rea...@arcor.de> wrote:
On 12/22/2011 05:44 PM, Tanstaafl wrote:
On 2011-12-20 12:19 PM, Nikos Chantziaras <rea...@arcor.de> wrote:
If you allow someone to edit root owned files, you're practically
giving
him root access.
Well, yeah, but only on those defined files...
root access is global. You can't limit it. root is root, the all
powerful Unix being. Period :-)
Ummm... then what is the purpose of sudo??
sudo is for executing programs as another user. It is not for giving
file permissions.
If I add the following line to sudoers:
%sudoroot ALL=(root)NOPASSWD:/bin/chmod /var/www/localhost/htdocs/*
Are you saying that this does NOT limit anyone in the sudoroot group to
*only* be able to run the chmod command, and only on files located in
/var/www/localhost/htdocs?
That doesn't seem to work at all here. But even if it did work, the
users still gain full root access. Look at what users can do:
cd /var/www/localhost/htdocs
sudo chmod a+w some_directory
cd some_directory
ln /etc/passwd .
sudo chmod a+w passwd
There. He now has full write access to /etc/passwd. And with the same
methodology, to every file in the system.