sudoers config to allow edit of files in particular directory (and children)

permissions sudo centos

Solution 1: You can use sudoedit:

%editors_group ALL=(root) sudoedit /var/www/vhosts/hostabc/*

And add all editors to editors_group

The wildcard will not allow path traversal because

Wildcards used in sudoedit command line arguments are expected to be path names, so a forward slash (‘/’) will not be matched by a wildcard

Also note:

Users should never be granted sudoedit permission to edit a file that resides in a directory the user has write access to, either directly or via a wildcard. If the user has write access to the directory it is possible to replace the legitimate file with a link to another file, allowing the editing of arbitrary files. Starting with version 1.8.15, sudoedit will refuse to open a symbolic link unless either the sudoedit_follow Defaults option is enabled or the sudoedit command is prefixed with the FOLLOW tag. However, it is still possible to create a hard link if the directory is writable and the link target resides on the same file system.

Source: sudoers man page.

Solution 2: Instead of using sudo mechanism, you could use POSIX ACLs.

groupadd hostabc  # Create a group that will have read-write access to the folder
setfacl -R -m g:hostabc:rwX /var/www/vhosts/hostabc/ # Allow full access for hostabc group, recursively
setfacl -R -d -m g:hostabc:rwX /var/www/vhosts/hostabc/ # Same permissions for new files and folders
getfacl /var/www/vhosts/hostabc/  # To show the permissions
usermod -a -G hostabc user1  # Add user1 to hostabc group

It looks like there's no straightforward way. An old mailing list post implies that such a feature was discussed a few years ago, but a look at the current changelog shows that the post's pessimism is right, and nothing ever came of it.

Can you change the group ownership of those files? If you can, you can use chmod g+S /var/www/vhosts/hostabc, and then new files will also get that group. Alternately, and perhaps better although less transparent, you could use ACLs. These approaches would let you avoid using sudo at all.

Related

UPS battery sulfuric acid fumes?
install msmtp amazon linux
Cannot connect from Compute Engine instance to Cloud SQL via Private IP
Can't see progress of rolling back SPID with KILL WITH STATUSONLY
Monitor SQL statements in DB2
openstack using name instead of id
Why does this loopback device creation malfunction?
Howto verify if Storage Spaces uses Journal disks
Custom page on 502 Bad Gateway error
Illegal Request error with unmap on vmware
Identify processes running inside Docker, in Process List
Creating user accounts on Computers using LDAP