LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 07-22-2008, 05:45 PM   #1
blancs
Member
 
Registered: Mar 2005
Posts: 49

Rep: Reputation: 15
help with sudoers file


what i have set is below. I was wondering if there would be an easier way to allow the user access to the syslog to grep, vi, pico, more, or which ever way they want to view it. Or do i have to create a command in the sudoers file for each way?


User_Alias HEG = username
Cmnd_Alias MORESYSLOG = /bin/more /var/log/syslog
HEG ALL = (root) PASSWD: MORESYSLOG
 
Old 07-22-2008, 06:26 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,988
Blog Entries: 11

Rep: Reputation: 880Reputation: 880Reputation: 880Reputation: 880Reputation: 880Reputation: 880Reputation: 880
There are varied possible approaches; a quick-fix would be to
make your user account member of the groups that have read-
access to the logs, in which case you won't need sudo at all.



Cheers,
Tink
 
Old 07-22-2008, 06:44 PM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
You can list each command separated by ', ' as shown by the example in the sudoers manpage. Changing the permissions of the file or adding file acls may not work after log rotation. Some logs like Xorg.0.log are replaced each time. Looking at the syslog-ng.conf manpage, it seems that the gid() option is global, and you can't indicate facl's as an option as well.
 
Old 07-23-2008, 04:07 PM   #4
blancs
Member
 
Registered: Mar 2005
Posts: 49

Original Poster
Rep: Reputation: 15
So i separated each command with a comma shown below. From what I gathered from the man page the wildcard * could be used to match 0 to infinite characters, well maybe not that far but still for five and below it should have worked. however this doesnt seem to work? What am I doing wrong in regards to the wildcard? Seems to work otherwise.


User_Alias ASSAULTCUBE = %assaultcube

# Cmnd alias specification
Cmnd_Alias MORESYSLOG = /usr/bin/pico /var/log/syslog*,/bin/more /var/log/syslog*,/bin/cat /var/log/syslog*

# Defaults

Defaults !lecture,tty_tickets,!fqdn

# User privilege specification
root ALL=(ALL) ALL
ASSAULTCUBE ALL = (root) PASSWD: MORESYSLOG
ASSAULTCUBE ALL = (assaultcube) PASSWD: ALL
 
Old 07-25-2008, 05:42 PM   #5
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I think you are confusing the BNF grammer definition of a command alias with the actual syntax:
Code:
Alias ::= 'User_Alias'  User_Alias (':' User_Alias)* |
          'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
          'Host_Alias'  Host_Alias (':' Host_Alias)* |
          'Cmnd_Alias'  Cmnd_Alias (':' Cmnd_Alias)*

User_Alias ::= NAME '=' User_List

Runas_Alias ::= NAME '=' Runas_List

Host_Alias ::= NAME '=' Host_List

Cmnd_Alias ::= NAME '=' Cmnd_List

NAME ::= [A-Z]([A-Z][0-9]_)*

Each alias definition is of the form

Alias_Type NAME = item1, item2, ...
The asterisk here means that you can have zero or more ':' Cmnd_Alias entries.

Also note that the "," is to separate commands in a command list. An Alias list has aliases separated with colons.


Also look in the manpages and documentation for programs like vim and less. They can be configured to not allow the shell escape. For example, allowing rvim or grvim to be run as root but not vim. These will run vim in a more secure mode without the shell escape. Only allowing the more restrictive versions of these programs may be an easier way to go, but there will be a number of holes to plug.

Last edited by jschiwal; 07-25-2008 at 05:50 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
not in the sudoers file? underworld288 Slackware 3 06-18-2007 12:48 AM
help with sudoers file aarulan Linux - Newbie 4 03-26-2006 10:24 PM
Sudoers File Help Harlin Linux - Software 1 03-15-2006 04:16 PM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 05:03 PM
help with sudoers file ogden2k Linux - Security 4 03-11-2003 10:39 AM


All times are GMT -5. The time now is 10:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration