From owner-freebsd-questions@FreeBSD.ORG  Wed May 31 22:37:22 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D47DB16C217
	for <freebsd-questions@freebsd.org>;
	Wed, 31 May 2006 22:37:22 +0000 (UTC) (envelope-from njt@ayvali.org)
Received: from sanddollar.geekisp.com (sanddollar.geekisp.com
	[216.168.135.167])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 839DD43D5A
	for <freebsd-questions@freebsd.org>;
	Wed, 31 May 2006 22:37:09 +0000 (GMT) (envelope-from njt@ayvali.org)
Received: (qmail 30 invoked by uid 1003); 31 May 2006 22:37:08 -0000
Received: from clam.int.geekisp.com (HELO clam.geekisp.com) (192.168.4.38)
	by mail.geekisp.com with (DHE-RSA-AES256-SHA encrypted) SMTP;
	31 May 2006 22:37:08 -0000
Received: from clam.geekisp.com (njt@localhost.geekisp.com [127.0.0.1])
	by clam.geekisp.com (8.13.4/8.12.11) with ESMTP id k4VMb7Pb017734;
	Wed, 31 May 2006 18:37:07 -0400 (EDT)
Received: (from njt@localhost)
	by clam.geekisp.com (8.13.4/8.13.3/Submit) id k4VMb7df029371;
	Wed, 31 May 2006 18:37:07 -0400 (EDT)
X-Authentication-Warning: clam.geekisp.com: njt set sender to njt@ayvali.org
	using -f
Date: Wed, 31 May 2006 18:37:06 -0400
From: "N.J. Thomas" <njt@ayvali.org>
To: Lawrence Horvath <lordsporkton@gmail.com>
Message-ID: <20060531223706.GA4607@ayvali.org>
References: <a1bf75ae0605301346h1b5f8b35g27e8a8391d8974cb@mail.gmail.com>
	<20060530212241.GK3413@ayvali.org>
	<200605301630.45755.kirk@daycos.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200605301630.45755.kirk@daycos.com>
User-Agent: Mutt/1.5.9i
Cc: freebsd-questions@freebsd.org
Subject: Re: sudoedit, restricting to particular folder
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 May 2006 22:37:29 -0000

* Kirk Strauser <kirk@daycos.com> [2006-05-30 16:30:45 -0500]:
> > luser ALL = (root) sudoedit /home/luser/foo/*
> 
> Why not give them root while you're at it:
> luser$ cd ~/foo; ln -s /etc/master.passwd; sudoedit ~/foo/master.passwd

Yikes, he's right. Don't put that in your sudoers file.


I found some notes on the sudo mailing lists while Googling, that 

    luser ALL = (root) sudoedit /home/luser/foo/

would work one day for all files in /home/luser/foo/, IIRC Todd Miller
said this would come out in version 1.7, but it looks like development
of sudo has stalled, so short of writing your own wrapper script (which
shouldn't be terribly hard) I don't know how to solve the original
problem of restricting sudoedit to a particular directly using sudo
alone.

Thomas

-- 
N.J. Thomas
njt@ayvali.org
Etiamsi occiderit me, in ipso sperabo