Re: Configure sudo
On Fri, May 25, 2012 at 6:31 AM, Slavko <linux@slavino.sk> wrote:
> Dňa Fri, 25 May 2012 10:13:05 +0200 Denis Witt
> <denis.witt@concepts-and-training.de> napísal:
>> * editing of php.ini
>
> it is possible to set in /etc/sudoers whole command line (with file name),
> but see bellow. Try tweak unix group memberships for this.
>>
>> * some editors
>
> here can be security problem, because some of the editors can run the
> shell, or allow to open more files. If you allow open editor with high
> privileges, then these privileges can be used to open other files or
> execute commands too. I found the sudoedit command, try read more about
> it, but the editor's problem is still here.
Do you need to be root to edit php.ini and does your partner need to
edit root-editable-only files?
>> * apt-get install but not remove
>
> IMO this is possible by setting whole command "apt-get options *" in
> sudoers, but i never tried this. I have on one my server this:
>
> User_Alias EJABBER = snmp, www-data
> ...
> EJABBER ALL=(ejabberd) NOPASSWD: /usr/sbin/ejabberdctl stats *
>
> by this line (i hope) only snmp and www-data can run
> "/usr/sbin/ejabberdctl stats *" command. The asterisk can be replaced by
> any other option (package name for you). But be careful with apt-get,
> because there can be more than one (install, remove, ...) command can be
> used in one line... Perhaps some shell script for this, which will accept
> only package names?
You can create a "/usr/local/bin/a-g-i.sh" wrapper script
if [ x"$*" = x ]; then
echo "USAGE: ..."
else /usr/bin/apt-get install -- "$@"
fi
and give your partner (if you're comfortable given that company
installation rights!) sudo access to it.
They'll also need to use "apt-get update".
Reply to: