[lug] sudoers limitations?

dan radom dan at radom.org
Sun Jul 3 08:15:22 MDT 2005


* David Owen Kritzberg (david.kritzberg at colorado.edu) wrote:
> Hello BLUG people,
> 
> Can someone enlighten me here?  I have been using sudo to execute root
> commands without logging in as root.  I have a web server (apache) and
> I have a couple wikis and a blog going there on the LAMP stack.  
> 
> Now I am trying to share this platform with a colleague, allowing him
> to have a wiki for his consulting business, running on my machine.
> The web home on this machine is /var/www/html/.  
> 
> Maybe this is not a good way to do things. Because from my reading of
> sudoers configuration, there is no way to give him rights to edit
> files in /var/www/html/ without granting his user account (user name
> "dude") full sudoers privileges, as in: 
> 
> dude all=(all) all
> 
> Which gives him the full run of my system, which seems unnecessary,
> and potentially hazardous, as he is not familiar with linux.
> 
> Is there any other way to do this besides having him host his wiki in
> /home/dude/www/?  I have never looked into configuring apache to
> look in user www directories, although I have heard that this is
> preferable to the /var/www route.  
> 
> To reiterate, I want to give a user on the system the ability to edit
> files using emacs, but only files in /var/www/html/wiki/.  Sudo seems
> to be user- and command-based, rather than location-based in the way
> it selects to grant root privileges.  
> 
> It would be great if I only need to chown and chgrp through this
> situation, but my current understanding is this is not the way to go
> with web files and web applications.
> 

add him to the wwwdude group.  then chgrpo the files in /var/www/html/
that 'dude'needs to edit, but not rights to edit all files.

Sudo is tricky to secure.  You must make sure that you don't allow users
to run things like shells, visudo, or any editor that can escape to a
shell like vi :sh.

I would use file ownership and group permissions, and possible a dude/
subdirectory off of your main http root.

dan



More information about the LUG mailing list