I need to allow 3 users in user 'extra' the ability to alter a file on my vps. The file is in /root and I changed the file permission to 666 (YIKES!) so that the file can be altered by the 'extra' user.
I remember that there is some kind of trick whereby a user can change permissions or something whereby they can get root privileges. There are supposed to be things that need to be done to prevent this ability. Does anyone know what I am talking about here and the remedy? Thanks.

there are several things you need to think about:
1. permission settings (on directory and on files)
2. sudo (privilege handling)
3. selinux
But I do not really know what is your problem and what is your configuration.

I'm marking this thread "unsolved" as the OP has not indicated what his problem is and why one needs to "remedy" anything when a file has been given such bad DAC rights and resides in the /root directory in the first place. Please explain in detail.

Those 3 users should be in a group that is allowed to access that file. the file permissions should not allow 'anybody' access to it as in 666, change that at least to 660. (Owner & Group to have read/write permission)

Thanks. Not familiar with setting up groups yet, so I'll do that. I also wasn't sure about the 666 and will change it to 660.

Lack of knowledge, (with all due respect) laziness and actual requirements are different ways to reach a decision. If it's the first two then we need to correct that as only the third option is a valid reason (if nothing like "--config-file=/other/path" or equivalent exists). So, no, I wouldn't advise that until the OP has given a valid reason why the file should be in /root in the first place.


While SELinux, as pan64 offered, won't stop anyone from editing that file (as it relies on sane DAC rights among other things) you can use the audit service (or 'rootsh') to create an audit trail of users "movement". As for editing a file, yes: if a user is allowed to 'sudo $EDITOR /path/file' problems arise when the editor in question allows it to escape to a shell or allows arbitrary command execution. See 'man sudoers', the "Secure editing" part.

A wise OP is not going to voluntarily stick his neck in anyone's noose.

say the file's name is battles.txt,
is it located at /root/battles.txt or /battles.txt ?

if the first, why would you need it located under the root home account?
if the second then with proper file permissions i don't see what harm that location causes versus being under /home/battles.txt or /usr/bin/battles.txt and so on.
In any case the file permission and group permissions are what matter, and like said don't give world permission any access and keep it limited to owner and group.

if you are forced to have the file located within the root home account at /root/battles.txt for whatever reason you can't get around,
the folder /root/ has the owner.group permission of root.root with permissions being 700 => only root (superuser) can get into it.
I would not allow your 3 users to be in the root group, instead create a group of some name and id, like group name = badpractice with some id number in the proper range. then do "chown root.badpractice /root/" to change group ownership of the /root folder and
then do chmod 750 /root/ to allow only users in the group named badpractice to be able to get into the /root/ folder but not write anything new in there. then do "chown root.badpractice /root/battles.txt" and "chmod 770 /root/battles.txt" to allow users in the group badpractice access to that file.
Functionally i don't see much of a problem if the rest of the files under /root/ have proper permissions and aren't changed and you don't put nothing else in there. but hopefully the group name i chose was obvious and you should find a better way to do that.
and if the file battles.txt needs to be an executable, then use 770 for permissions.
based on what you said you need to do, i don't see a need to use sudo for anything you can get by in any case with just file/group permissions.

This is, more or less, just another "XY Problem."

There's really no plausible reason for an externally-modifiable file to be ... to "must be" ... in the /root directory. Therefore, the presented question, "how do I allow three users to modify it there?," is the wrong question to ask.

It's like: "How do I permit exactly three users to shoot me in the foot?"

Put the file into a place that is "ordinary," in a directory that can be made accessible only to specified groups, including one that includes only these three users. Treat this file, and all modifications made to it, as "untrusted." Now, devise a separate mechanism by which versions of this file (in that place ...) can be snapshotted, archived, and transferred to a secure directory where it can be e-v-a-l-u-a-t-e-d by a trusted third-party person, who can choose to install it or not. (Consider a version-control system, like git ...) Consider how that trusted person might be able to instantly and accurately revert any change.

1 members found this post helpful.