[lug] sudoers limitations?
David Anselmi
anselmi at anselmi.us
Sun Jul 3 10:49:56 MDT 2005
David Owen Kritzberg wrote:
[...]
> To reiterate, I want to give a user on the system the ability to edit
> files using emacs, but only files in /var/www/html/wiki/. Sudo seems
> to be user- and command-based, rather than location-based in the way
> it selects to grant root privileges.
You don't want to use sudo for this. File permissions should be
sufficient, as others have said.
Here is the security policy you're trying to implement:
- dude can read and write his files
- apache can read and write dude's files (has to for the wiki to work)
- dude can't write files where apache executes code (i.e., the wiki
application)
- no one else can read or write dude's files
You've implied the first two. I added the next two for paranoia.
To implement this: *You* install the wiki app (or use what's already
installed pointed at a different set of data)--those files are owned by
the system with permissions that allow apache to run the code (and
preferably not modify it). The data files are owned by dude and he has
full control of them and the appropriate directories. The data files
are group apache (whatever apache runs as) and apache has read/write
access to them.
Simple enough? It probably helps if you make sure all dude's stuff goes
in separate directories. And you should probably test various cases to
make sure you've got everything right (you might be surprised that write
permission on a directory allows deleting a read-only file).
This doesn't address the wiki policy--anyone who can edit through the
wiki can change any of these files. And I probably missed something
really obvious too (no warranty, IANAL, don't drive like my brother, yada).
Dave
More information about the LUG
mailing list