![]() ![]() $ chgrp staff /etc/nginx/sites-available/group_website # Let all members of the staff group edit the group_website config: $ chmod g rw /etc/nginx/sites-available/steves_dodgy_project $ chgrp steve /etc/nginx/sites-available/steves_dodgy_project Here are a couple of examples: # Give steve the ability to edit his nginx config: But really they are more complex and more dangerous than they should be.Ī much simpler and safer solution is to change the group permissions on the specific files that you want to open edit rights for. ![]() Let users edit a file using group permissionsīelow you can find various attempts using rnano through sudo to let users edit a file or files. a service called safe-network or network-monitor would also be rejected. The one disadvantage is that this might block other services which you don't actually mind users running, e.g. So we need the * to consume any flags before the service name. Let's imagine a -verbose flag was added in future, then users would be able to run the following: $ sudo service -verbose network restart Note: I added the * before the word network above, just in case a harmless flag is ever added to the service tool in the future. You can whitelist more admin commands for your users if you are careful. The user won't be able to run sudo bash or sudo tee or sudo wget or sudo /path/to/malicious_script. (The ALL in that position refers to the Host_Alias, not the Cmnd_Alias - confusing isn't it?) We can try to adapt that to your case, to offer all service commands to the staff group, but exclude the service network commands that concern you: %staff ALL = /usr/sbin/service *, \ (In fact this example from the manpage is unsafe and can be exploited to change root's password! See the comments below for how.) Note that this assumes passwd(1) does not take multiple user names The user pete is allowed to change anyone's password except for root on the HPPA If you really don't want someone to do something, you should do as Thomas says, and create a whitelist of things they are allowed to do.Īn example of a small whitelist with an exclusion can be found near the bottom of man sudoers: pete HPPA = /usr/bin/passwd *, !/usr/bin/passwd root Blacklist python, and they will use Perl. Blacklist bash, and they will use python. If you provide users with the ALL command alias, and then try to create a blacklist, they will always be able to find a way around it. Here is an example of what a naughty user might try: $ echo "service network restart" > /tmp/hax There are 1000 ways to run service network restart without doing sudo service network restart. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |