Re: VI wrapper for SUDO?

To: debian-security@lists.debian.org
Subject: Re: VI wrapper for SUDO?
From: Christoph Ulrich Scholler <scholler@fnb.tu-darmstadt.de>
Date: Fri, 30 Nov 2001 12:23:14 +0100
Message-id: <[🔎] 20011130122314.B16287@fnb.tu-darmstadt.de>
In-reply-to: <[🔎] m2d721gpsb.fsf@komodo.home.wards.net>; from bill@wards.net on Thu, Nov 29, 2001 at 02:45:08PM -0800
References: <[🔎] m2d721gpsb.fsf@komodo.home.wards.net>

hi,

maybe i misunderstand the intention here, but isn't it pointless to
restrict privileges of the editing process of /etc/aliases if you could
just as well change root's alias to a program that's run whenever root
receives email and, e. g., puts one's most favourite /etc/passwd in
place of the original?

regards,

uLI

On Thu, Nov 29, 2001 at 02:45:08PM -0800 or thereabouts, William R Ward wrote:
> A lazy sysadmin, not thinking through the ramifications, might put
> things like "/usr/bin/vi /etc/aliases" in the sudoers file, thinking
> that it limits access.  But of course, vi has the ":e" command...
> 
> Is there any kind of wrapper that can be used to allow sudo to grant
> editing access to only one file?  I am thinking of something similar
> to vipw or visudo, but with security in mind; following this basic
> algorithm:
> 
> 1. Using user privileges, Copy the desired file to a temp file owned
>    by the real user.
> 2. Using user privileges, Edit the temp file.
> 3. Using root privileges, copy the temp file to the final location.

Reply to:

Follow-Ups:
- Re: VI wrapper for SUDO?
  - From: Joshua Goodall <joshua@myinternet.com.au>

References:
- VI wrapper for SUDO?
  - From: William R Ward <bill@wards.net>

Prev by Date: RE: whats up?
Next by Date: Re: VI wrapper for SUDO?
Previous by thread: Re: VI wrapper for SUDO? - another bad way ??
Next by thread: Re: VI wrapper for SUDO?
Index(es):
- Date
- Thread