FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 12-20-2011, 02:04 PM
Tanstaafl
 
Default Allow non root users to edit files owned by root?

Hi all,

I'm guessing this is a sudo question, but I'm unfamiliar with the
nuances of sudo (never had to use it before).


I have a new hosted VM server that I want to allow a user to be able to
edit files owned by root, but without giving them the root password.


I already did:

/usr/sbin/visudo

and added the following line:

%sudoroot ALL=(ALL) ALL

and made sure the user is in this group, but they still get an access
denied error when trying to mv or cp files that are owned bu root.


What is the best way to do this? I'd really prefer to not give them the
root password so they can su -...


Thanks,

Charles
 
Old 12-20-2011, 02:13 PM
Michael Mol
 
Default Allow non root users to edit files owned by root?

On Tue, Dec 20, 2011 at 10:04 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> Hi all,
>
> I'm guessing this is a sudo question, but I'm unfamiliar with the nuances of
> sudo (never had to use it before).
>
> I have a new hosted VM server that I want to allow a user to be able to edit
> files owned by root, but without giving them the root password.
>
> I already did:
>
> /usr/sbin/visudo
>
> and added the following line:
>
> %sudoroot * * * ALL=(ALL) ALL
>
> and made sure the user is in this group, but they still get an access denied
> error when trying to mv or cp files that are owned bu root.
>
> What is the best way to do this? I'd really prefer to not give them the root
> password so they can su -...

The sudo command allows commands to be executed *as though they were root*.

'sudo su -' would work. So would 'sudo mv src dst'.

So, incidentally, would 'sudo passwd root'...

--
:wq
 
Old 12-20-2011, 03:00 PM
Florian Philipp
 
Default Allow non root users to edit files owned by root?

Am 20.12.2011 16:13, schrieb Michael Mol:
> On Tue, Dec 20, 2011 at 10:04 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
>> Hi all,
>>
>> I'm guessing this is a sudo question, but I'm unfamiliar with the nuances of
>> sudo (never had to use it before).
>>
>> I have a new hosted VM server that I want to allow a user to be able to edit
>> files owned by root, but without giving them the root password.
>>
>> I already did:
>>
>> /usr/sbin/visudo
>>
>> and added the following line:
>>
>> %sudoroot ALL=(ALL) ALL
>>
>> and made sure the user is in this group, but they still get an access denied
>> error when trying to mv or cp files that are owned bu root.
>>
>> What is the best way to do this? I'd really prefer to not give them the root
>> password so they can su -...
>
> The sudo command allows commands to be executed *as though they were root*.
>
> 'sudo su -' would work. So would 'sudo mv src dst'.
>
> So, incidentally, would 'sudo passwd root'...
>

For file editing alone, you can allow rights to sudoedit, for example:
%sudoroot sudoedit

This allows sudoroot members to execute `sudoedit $file` which starts an
editor (defined via environment variable EDITOR) with the file in a save
fashion (similar to visudo). But you also have to restrict the editors
because most of them are able to spawn a shell (which would then have
root rights). Restricted editors like `rnano` or `rvim` circumvent this
issue. To do this, set something like this in your sudoers file:
editor=rnano:rvim

You should probably also restrict which files can be edited (not
/etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this
with globs. For example:
%sudoroot sudoedit /var/www/*

Hope this helps,
Florian Philipp
 
Old 12-20-2011, 03:51 PM
Tanstaafl
 
Default Allow non root users to edit files owned by root?

On 2011-12-20 10:13 AM, Michael Mol <mikemol@gmail.com> wrote:

So, incidentally, would 'sudo passwd root'...


Ouch... any way to avoid that?

I guess the best way would be to simply give them access to the commands
they need...


I'll look into that...

Thanks...
 
Old 12-20-2011, 04:03 PM
Tanstaafl
 
Default Allow non root users to edit files owned by root?

On 2011-12-20 11:00 AM, Florian Philipp <lists@binarywings.net> wrote:

You should probably also restrict which files can be edited (not
/etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this
with globs. For example:
%sudoroot sudoedit/var/www/*


Great, that helps... but...

He wants to use nano, so I set this up for nano, but there is one little
issue...


He sometimes uses different flags with nano (ie, 'nano -wc filename') -
is there a way to specify the use with or without flags? I know you can use:


/bin/nano -* /etc/apache2/*,

But this fails if no flags are specified.
 
Old 12-20-2011, 04:06 PM
Michael Mol
 
Default Allow non root users to edit files owned by root?

On Tue, Dec 20, 2011 at 11:51 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> On 2011-12-20 10:13 AM, Michael Mol <mikemol@gmail.com> wrote:
>>
>> So, incidentally, would 'sudo passwd root'...
>
>
> Ouch... any way to avoid that?
>
> I guess the best way would be to simply give them access to the commands
> they need...
>
> I'll look into that...

The best way would probably be to work with UNIX privileges or ACLs.
You've got a file you want people other than root to be able to edit.

groupadd $SPECIALGROUP
usermod -a -G $SPECIALGROUP $THEIRUSERNAME
chown :$SPECIALGROUP $FILENAME
chmod g+w $FILENAME

(You might want to chmod g-x $FILENAME, too, just for safety's sake.)

--
:wq
 
Old 12-20-2011, 04:19 PM
Nikos Chantziaras
 
Default Allow non root users to edit files owned by root?

On 12/20/2011 05:04 PM, Tanstaafl wrote:

I have a new hosted VM server that I want to allow a user to be able to
edit files owned by root, but without giving them the root password.


If you allow someone to edit root owned files, you're practically giving
him root access. So the fact that he doesn't know the root password is
totally irrelevant; he doesn't even need the password anymore to gain
root access since he already has that access.


So you might want to rethink the way you want to allow him to edit those
files.
 
Old 12-20-2011, 04:20 PM
Florian Philipp
 
Default Allow non root users to edit files owned by root?

Am 20.12.2011 18:03, schrieb Tanstaafl:
> On 2011-12-20 11:00 AM, Florian Philipp <lists@binarywings.net> wrote:
>> You should probably also restrict which files can be edited (not
>> /etc/passwd, /etc/shadow or /etc/sudoers, for sure!). You can do this
>> with globs. For example:
>> %sudoroot sudoedit/var/www/*
>
> Great, that helps... but...
>
> He wants to use nano, so I set this up for nano, but there is one little
> issue...
>
> He sometimes uses different flags with nano (ie, 'nano -wc filename') -
> is there a way to specify the use with or without flags? I know you can
> use:
>
> /bin/nano -* /etc/apache2/*,
>
> But this fails if no flags are specified.
>

Well, as I've said, using a /normal/ editor doesn't solve the problem
because you can use nano for opening a shell, thereby escalating your
privileges. You have to use rnano (or nano -R). This solution is not
really meant for the luxury of a full blown editor with arbitrary
arguments and capabilities. rnano doesn't read nanorc files, for
example. If you cannot agree on a common set of safe flags, you
shouldn't use sudo for this purpose.

In that case, I recommend Michael's proposed solution of ACLs or
probably group write access +setgid to the specific directories.
Alternatively, allow editing outside of the directory and something like
%sudoroot cp * /etc/apache/*
so that they can /commit/ their changes instead of editing directly.

Regards,
Florian Philipp
 
Old 12-20-2011, 05:20 PM
Tanstaafl
 
Default Allow non root users to edit files owned by root?

On 2011-12-20 12:20 PM, Florian Philipp <lists@binarywings.net> wrote:

Well, as I've said, using a/normal/ editor doesn't solve the problem
because you can use nano for opening a shell, thereby escalating your
privileges. You have to use rnano (or nano -R). This solution is not
really meant for the luxury of a full blown editor with arbitrary
arguments and capabilities. rnano doesn't read nanorc files, for
example. If you cannot agree on a common set of safe flags, you
shouldn't use sudo for this purpose.


Points taken from all, thanks...

I settled on requiring the -R flag for nano, and limited the files that
he can edit, so he will simply have to live with this.


Thanks all...
 
Old 12-21-2011, 04:55 AM
"Walter Dnes"
 
Default Allow non root users to edit files owned by root?

On Tue, Dec 20, 2011 at 11:51:11AM -0500, Tanstaafl wrote
> On 2011-12-20 10:13 AM, Michael Mol <mikemol@gmail.com> wrote:
> > So, incidentally, would 'sudo passwd root'...
>
> Ouch... any way to avoid that?
>
> I guess the best way would be to simply give them access to the commands
> they need...
>
> I'll look into that...

Howsabout in sudoers giving them the right to execute 2 commands...

cat /etc/whatever > scratchfile (this one may not be necessary)
cat scratchfile > /etc/whatever

The first command copies the contents of the file to whatever
directory the user is in. He can work on the copy using his regular
privileges. Note that I'm assuming the user does not have read
privileges on the file. If he does have read privileges, then the first
command does not require sudoers.

At the last step, he can send the finished copy back to the
original file. The sequence the user will have to follow is, logged in
as regular user...

1a) If he does *NOT* have read prileges to /etc/whatever
touch scratchfile
sudo cat /etc/whatever > scratchfile

1b) If he *DOES* have read prileges to /etc/whatever
cp /etc/whatever scratchfile


2) edit scratchfile *LOCALLY* with his favourite editor. No need to
worry about restricting an editor.

3) sudo cat scratchfile > /etc/whatever

Note the use of "cat", rather than "cp", when using sudo. "cp" will
copy the file attributes, including the fact that it's owned by the user
doing the copying, e.g. sudo (as root) copies the file and it's owned by
root (oops). Ditto for "cat" when redirected *TO A NEW FILE*. "touch"
guarantees that the file will exist, and get overwritten by the content
of /etc/whatever, but still retaining the fact that it's owned by the
local user.

If local user has read access to /etc/whatever, that makes things
easier. When he does "cp" as local user, the resulting file is owned by
hin. Edit at liesure, and send the result back with "cat".

--
Walter Dnes <waltdnes@waltdnes.org>
 

Thread Tools




All times are GMT. The time now is 10:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org