Why sudo -c and not sudo -i ?

No sudo at all.

su

IMO groups, and group permissions, exist to handle these situations. Users can be in many groups.

Invent a group that has a name that explains its purpose, add TED and BOB to that group, set the group of the SCRIPT, and enable group write permission. No passwords required. Depending on the editor used, some thought might be needed about backup and temporary files the editor uses; but you'll have to consider that anyway.

They are in the same group, in fact the same primary group. The problem is mostly I'm trying to avoid wholesale changes to permissions or activating sudo. The users have menu driven access but we don't want obvious and easy access to stuff they're not to touch. My set up seems to work, just seems messy.

Why not just create a special 'shared folder' that BOB and TED have rw access to, and put the script there? Wouldn't that be simpler and cleaner?

Yes, but that would require re-configuring 90+ computer systems spread out over the entire country. A lot of work for what amounts to a trivial system change. What I considered was changing the permissions of the file and folder in question, but I'm concerned about unintended consequences and the lessening of security resulting in something I get blamed for and have to fix.

The way this will be implemented nation wide is a bi-annual software insertion via an executable package that we do with field service techs, but they're very low level (skill wise) and work for me so I know they won't cause issues. It's the people that don't work for me (the users) having added access that concern me.

The action that I'm adding to the menu is a simple function toggle to turn a feature on or off, what we call "an INI change." Currently, if a user wants it changed, I have to walk them through - over the phone - gaining root access and trusting them to do the edit correctly and not using the root password to go in and muck about with other things they not supposed to be touching. By adding it as a menu function, I remove the need to be involved with the configuration change when it's needed and I reduce the chances of intentional or accidental shenanigans.

The menu that launches the script is for BOB level access. The script that does the edit - a simple sed replace-in-place one-liner - needs to have TED level access or sed fails because it creates a temp file in the target directly. I tried using a temp redirect to store the edits, which worked but I still can't insert the edits into the current file.

Oh well, my two script solution works so I'll send it out that way. I really just wanted to know if I missed some bash magic that I wasn't aware of.

Actually, one nice thing about it, since it's basically shell actions that run in a terminal window, the fact that it's two scripts is totally transparent to the user. So in a way, it's probably less obvious what's happening to the casual user.

Ah. I thought this was a simple 'two person' issue on your own home network.

Have you seen this: https://stackoverflow.com/questions/...script/8352939