Restricting Editing in Sudo (Advanced Sudo Question)
 

Hi,
I am trying to use sudo to delegate responsibility of the Apache server to one of the users on the system. However, I run into a problem in that I want the user to be able to edit only a single configuration file (httpd.conf) as the user apache and not edit any of the other files owned by the user apache. Is this possible? When I set it to vim with the exact path, the user was able to allow vim to open other files as the user apache. Thanks for your time.

The common access to files in Linux is controlled by permissions. In order to refine those permissions as you desire, you must use ACL (Access Control List).

I leave it to you to do the www.google.com/linux research.

Thansk bigrigdriver. I know that this can be done with ACLs but I was wondering if there is a sudo-specific approach. The nice thing about a sudo-specific approach would be that you can leave the ACLs as is and you could easily delegate authority. On the other hand, using ACLs would mean that if you ever wanted to delegate the authority to a different user, you would have to modify the ACL. You also only have ACL support on ext2/ext3. I was thinking of some way to run an editor such as vim without allowing it to open any files other than the one specified as a parameter.

you could check what happens if you change group ownership of httpd.conf by creating new group with apache user in it.

if there are no consequences, create new group, add your user and apache user to this groupd, change group ownership of this file to the new group and restart apache.

M.

Just to up date an old post of mine with the answer which I found. What I was looking for can be solved using sudoedit for anyone interested.