On Fri, 2005-12-02 at 15:22, Mike McCarty wrote:
> >>One cannot configure sudo such that one can "vi /etc/one_special_file"
> >>but not "vi /etc/another_special_file".
> >
> >
> > But you can rather easily have a replace_special_file program that
> > only specified users can run and that does nothing else. Vi permits
> > shell escapes and thus like many unix programs, includes the
> > capabilities of all other programs so it's not something you would
> > want to permit a user to do as root even if you could control the
> > initial file loaded.
> >
>
> But I was addressing the issue of the security model, not whether
> something can be done with a specially designed work-around, nor
> whether vi had some security holes.
It's not a workaround. It's a model of simplicity with simple
well understood rules. You don't need special permissions while
editing, you need them to overwrite a file you don't own. There
are a couple of ways to get those permissions.
> ACL, for example, does exactly what I described, no workaround,
> no special program, no extra scripts.
If you inherit a production machine where someone else has
applied arbitrary ACLs to every file, how long will it
take you to understand why it works or how to fix it as
the staff changes and the permitted user accounts are
deleted?
> Everything has its strengths and weaknesses. ACL has its own
> weaknesses, one of which is that it can be a burden to
> non technical users. It's more complex to set up.
And much more difficult to understand after-the-fact because
the rules are distributed in places they probably shouldn't
be.
--
Les Mikesell
lesmikesell@xxxxxxxxx
