Re: [gentoo-user] Allow non root users to edit files owned by root?
On 22 December 2011 15:41, Tanstaafl wrote: > On 2011-12-20 11:00 AM, Florian Philipp wrote: >> >> You should probably also restrict which files can be edited (not >> /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this >> with globs. For example: >> %sudoroot sudoedit/var/www/* > > > Ok, just found out that subdirectories are not included when doing it this > way, and haven't found a way to include them... > > Please tell me there is a way, and I won't have to explicitly define every > subdirectory under /var/www that they will need to be able to work in... Perhaps I missed it, but my approach to this would be to create a 'webadmin' group, and change the group of the directory (and applicable subdirs).
Re: [gentoo-user] Allow non root users to edit files owned by root?
On 2011-12-20 11:00 AM, Florian Philipp wrote: You should probably also restrict which files can be edited (not /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this with globs. For example: %sudoroot sudoedit/var/www/* Ok, just found out that subdirectories are not included when doing it this way, and haven't found a way to include them... Please tell me there is a way, and I won't have to explicitly define every subdirectory under /var/www that they will need to be able to work in...
Re: [gentoo-user] Allow non root users to edit files owned by root?
Am 21.12.2011 06:55, schrieb Walter Dnes: > On Tue, Dec 20, 2011 at 11:51:11AM -0500, Tanstaafl wrote >> On 2011-12-20 10:13 AM, Michael Mol wrote: >>> So, incidentally, would 'sudo passwd root'... >> >> Ouch... any way to avoid that? >> >> I guess the best way would be to simply give them access to the commands >> they need... >> >> I'll look into that... > > Howsabout in sudoers giving them the right to execute 2 commands... > > cat /etc/whatever > scratchfile (this one may not be necessary) > cat scratchfile > /etc/whatever > That doesn't work because redirection is not done by the sudoed process but by the calling shell. You need to do something like this: /bin/sh -c 'cat scratchfile > /etc/whatever' > The first command copies the contents of the file to whatever > directory the user is in. He can work on the copy using his regular > privileges. Note that I'm assuming the user does not have read > privileges on the file. If he does have read privileges, then the first > command does not require sudoers. > > At the last step, he can send the finished copy back to the > original file. The sequence the user will have to follow is, logged in > as regular user... > > 1a) If he does *NOT* have read prileges to /etc/whatever > touch scratchfile > sudo cat /etc/whatever > scratchfile > > 1b) If he *DOES* have read prileges to /etc/whatever > cp /etc/whatever scratchfile > > > 2) edit scratchfile *LOCALLY* with his favourite editor. No need to > worry about restricting an editor. > > 3) sudo cat scratchfile > /etc/whatever > I just double checked my assumption that sudoedit uses $EDITOR with root access. While the man page doesn't state it, it seems that the editor is called with normal user rights and sudo handles exactly the same sequence you outlined above (using a temporary file owned by $user:$user, chmod 0600). Therefore it seems you can safely use a normal editor with sudoedit. Sorry for the confusion. > Note the use of "cat", rather than "cp", when using sudo. "cp" will > copy the file attributes, including the fact that it's owned by the user > doing the copying, e.g. sudo (as root) copies the file and it's owned by > root (oops). Ditto for "cat" when redirected *TO A NEW FILE*. "touch" > guarantees that the file will exist, and get overwritten by the content > of /etc/whatever, but still retaining the fact that it's owned by the > local user. > I think you can get the same result with `cp --no-preserve=all` but probably with higher performance (not that is makes a difference with config files). > If local user has read access to /etc/whatever, that makes things > easier. When he does "cp" as local user, the resulting file is owned by > hin. Edit at liesure, and send the result back with "cat". > signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Allow non root users to edit files owned by root?
On Tue, Dec 20, 2011 at 11:51:11AM -0500, Tanstaafl wrote > On 2011-12-20 10:13 AM, Michael Mol wrote: > > So, incidentally, would 'sudo passwd root'... > > Ouch... any way to avoid that? > > I guess the best way would be to simply give them access to the commands > they need... > > I'll look into that... Howsabout in sudoers giving them the right to execute 2 commands... cat /etc/whatever > scratchfile (this one may not be necessary) cat scratchfile > /etc/whatever The first command copies the contents of the file to whatever directory the user is in. He can work on the copy using his regular privileges. Note that I'm assuming the user does not have read privileges on the file. If he does have read privileges, then the first command does not require sudoers. At the last step, he can send the finished copy back to the original file. The sequence the user will have to follow is, logged in as regular user... 1a) If he does *NOT* have read prileges to /etc/whatever touch scratchfile sudo cat /etc/whatever > scratchfile 1b) If he *DOES* have read prileges to /etc/whatever cp /etc/whatever scratchfile 2) edit scratchfile *LOCALLY* with his favourite editor. No need to worry about restricting an editor. 3) sudo cat scratchfile > /etc/whatever Note the use of "cat", rather than "cp", when using sudo. "cp" will copy the file attributes, including the fact that it's owned by the user doing the copying, e.g. sudo (as root) copies the file and it's owned by root (oops). Ditto for "cat" when redirected *TO A NEW FILE*. "touch" guarantees that the file will exist, and get overwritten by the content of /etc/whatever, but still retaining the fact that it's owned by the local user. If local user has read access to /etc/whatever, that makes things easier. When he does "cp" as local user, the resulting file is owned by hin. Edit at liesure, and send the result back with "cat". -- Walter Dnes
Re: [gentoo-user] Allow non root users to edit files owned by root?
On 2011-12-20 12:20 PM, Florian Philipp wrote: Well, as I've said, using a/normal/ editor doesn't solve the problem because you can use nano for opening a shell, thereby escalating your privileges. You have to use rnano (or nano -R). This solution is not really meant for the luxury of a full blown editor with arbitrary arguments and capabilities. rnano doesn't read nanorc files, for example. If you cannot agree on a common set of safe flags, you shouldn't use sudo for this purpose. Points taken from all, thanks... I settled on requiring the -R flag for nano, and limited the files that he can edit, so he will simply have to live with this. Thanks all...
Re: [gentoo-user] Allow non root users to edit files owned by root?
Am 20.12.2011 18:03, schrieb Tanstaafl: > On 2011-12-20 11:00 AM, Florian Philipp wrote: >> You should probably also restrict which files can be edited (not >> /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this >> with globs. For example: >> %sudorootsudoedit/var/www/* > > Great, that helps... but... > > He wants to use nano, so I set this up for nano, but there is one little > issue... > > He sometimes uses different flags with nano (ie, 'nano -wc filename') - > is there a way to specify the use with or without flags? I know you can > use: > > /bin/nano -* /etc/apache2/*, > > But this fails if no flags are specified. > Well, as I've said, using a /normal/ editor doesn't solve the problem because you can use nano for opening a shell, thereby escalating your privileges. You have to use rnano (or nano -R). This solution is not really meant for the luxury of a full blown editor with arbitrary arguments and capabilities. rnano doesn't read nanorc files, for example. If you cannot agree on a common set of safe flags, you shouldn't use sudo for this purpose. In that case, I recommend Michael's proposed solution of ACLs or probably group write access +setgid to the specific directories. Alternatively, allow editing outside of the directory and something like %sudoroot cp * /etc/apache/* so that they can /commit/ their changes instead of editing directly. Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Allow non root users to edit files owned by root?
On Tue, Dec 20, 2011 at 11:51 AM, Tanstaafl wrote: > On 2011-12-20 10:13 AM, Michael Mol wrote: >> >> So, incidentally, would 'sudo passwd root'... > > > Ouch... any way to avoid that? > > I guess the best way would be to simply give them access to the commands > they need... > > I'll look into that... The best way would probably be to work with UNIX privileges or ACLs. You've got a file you want people other than root to be able to edit. groupadd $SPECIALGROUP usermod -a -G $SPECIALGROUP $THEIRUSERNAME chown :$SPECIALGROUP $FILENAME chmod g+w $FILENAME (You might want to chmod g-x $FILENAME, too, just for safety's sake.) -- :wq
Re: [gentoo-user] Allow non root users to edit files owned by root?
On 2011-12-20 11:00 AM, Florian Philipp wrote: You should probably also restrict which files can be edited (not /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this with globs. For example: %sudoroot sudoedit/var/www/* Great, that helps... but... He wants to use nano, so I set this up for nano, but there is one little issue... He sometimes uses different flags with nano (ie, 'nano -wc filename') - is there a way to specify the use with or without flags? I know you can use: /bin/nano -* /etc/apache2/*, But this fails if no flags are specified.
Re: [gentoo-user] Allow non root users to edit files owned by root?
On 2011-12-20 10:13 AM, Michael Mol wrote: So, incidentally, would 'sudo passwd root'... Ouch... any way to avoid that? I guess the best way would be to simply give them access to the commands they need... I'll look into that... Thanks...
Re: [gentoo-user] Allow non root users to edit files owned by root?
Am 20.12.2011 16:13, schrieb Michael Mol: > On Tue, Dec 20, 2011 at 10:04 AM, Tanstaafl wrote: >> Hi all, >> >> I'm guessing this is a sudo question, but I'm unfamiliar with the nuances of >> sudo (never had to use it before). >> >> I have a new hosted VM server that I want to allow a user to be able to edit >> files owned by root, but without giving them the root password. >> >> I already did: >> >> /usr/sbin/visudo >> >> and added the following line: >> >> %sudoroot ALL=(ALL) ALL >> >> and made sure the user is in this group, but they still get an access denied >> error when trying to mv or cp files that are owned bu root. >> >> What is the best way to do this? I'd really prefer to not give them the root >> password so they can su -... > > The sudo command allows commands to be executed *as though they were root*. > > 'sudo su -' would work. So would 'sudo mv src dst'. > > So, incidentally, would 'sudo passwd root'... > For file editing alone, you can allow rights to sudoedit, for example: %sudoroot sudoedit This allows sudoroot members to execute `sudoedit $file` which starts an editor (defined via environment variable EDITOR) with the file in a save fashion (similar to visudo). But you also have to restrict the editors because most of them are able to spawn a shell (which would then have root rights). Restricted editors like `rnano` or `rvim` circumvent this issue. To do this, set something like this in your sudoers file: editor=rnano:rvim You should probably also restrict which files can be edited (not /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this with globs. For example: %sudoroot sudoedit /var/www/* Hope this helps, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Allow non root users to edit files owned by root?
On Tue, Dec 20, 2011 at 10:04 AM, Tanstaafl wrote: > Hi all, > > I'm guessing this is a sudo question, but I'm unfamiliar with the nuances of > sudo (never had to use it before). > > I have a new hosted VM server that I want to allow a user to be able to edit > files owned by root, but without giving them the root password. > > I already did: > > /usr/sbin/visudo > > and added the following line: > > %sudoroot ALL=(ALL) ALL > > and made sure the user is in this group, but they still get an access denied > error when trying to mv or cp files that are owned bu root. > > What is the best way to do this? I'd really prefer to not give them the root > password so they can su -... The sudo command allows commands to be executed *as though they were root*. 'sudo su -' would work. So would 'sudo mv src dst'. So, incidentally, would 'sudo passwd root'... -- :wq
[gentoo-user] Allow non root users to edit files owned by root?
Hi all, I'm guessing this is a sudo question, but I'm unfamiliar with the nuances of sudo (never had to use it before). I have a new hosted VM server that I want to allow a user to be able to edit files owned by root, but without giving them the root password. I already did: /usr/sbin/visudo and added the following line: %sudoroot ALL=(ALL) ALL and made sure the user is in this group, but they still get an access denied error when trying to mv or cp files that are owned bu root. What is the best way to do this? I'd really prefer to not give them the root password so they can su -... Thanks, Charles
