Craig White wrote:
On Fri, 2005-12-02 at 14:14 -0600, Mike McCarty wrote:
One cannot configure sudo such that one can "vi /etc/one_special_file"
but not "vi /etc/another_special_file".
----
I am DEFINITELY not an expert on sudoers file but...
Nor am I.
# tail -n 5 /etc/sudoers
Cmnd_Alias IPOD=/sbin/modprobe -r sbp2
Cmnd_Alias EJECT=/usr/bin/eject /dev/sda2,/usr/bin/eject /dev/sdb2
# User privilege specification
craig ALL=(ALL) ALL
craig ALL= NOPASSWD : IPOD, EJECT
makes me believe that I could only use modprobe and eject as prescribed
if I didn't have the ALL=(ALL) ALL designation.
Yes, one can restrict what commands get used. But one cannot
restrict what one does with that command.
For example, suppose I need a user who can move a file
to a backup area, and then create a new one using some editor
or other. I can "unleash" mv and the editor, but then
I cannot (AFAIK) prevent that user from using mv or the
editor on *any* file.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
