LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-28-2009, 04:26 AM   #1
bobinabottle
LQ Newbie
 
Registered: Feb 2009
Posts: 1

Rep: Reputation: 0
system wide read only user?


Hi there,

Sorry, i'm not sure if this should be in the newbie forum or here..

Basically I'm running red hat linux and frequently access root via sudo. We have some external developers that need to be able to read system log files etc, but i dont want them to be able to change any system files.

Is there a way of writing up a sudoers file so that when they access sudo they can have read access to the entire filesystem but not be able to edit or execute anything?

I thought about using chmod for this, but thought it would mess up permissions for system programs.

If someone could help that would be great, thanks :-)
 
Old 02-28-2009, 07:11 AM   #2
niknah
Member
 
Registered: Dec 2002
Location: In front of a computer
Distribution: UPS, DHL, FedEx
Posts: 466

Rep: Reputation: 38
Use setfacl/getfacl instead of normal permissions.

This would let the "developers" group read access to all files...
setfacl -R -m g:developers:r-x /


But not all distributions have acls enabled, you may have to remount your filesystem first with...
mount / -o acl,remount

Last edited by niknah; 02-28-2009 at 07:21 AM.
 
Old 02-28-2009, 08:23 AM   #3
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,990

Rep: Reputation: 67
sudo can't be used for filesystem access directly: it only tells you which commands a user is allowed to run.

What you could do is to write a set of scripts that will let your developers read your system files, and configure sudo to only run those scripts. They could even be fairly simple scripts, i.e
Code:
#!/bin/bash
cat /var/log/messages
Another option would be to set up a read-only samba share containing the files, and give the developers password-protected access to that. That way, they don't even need shell access to the machine.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
kde system wide config bong.mau Linux - Software 8 06-09-2006 06:17 AM
System Wide Permission lmanwarren Linux - General 1 03-29-2005 09:15 PM
Changing system-wide buttons rossjman1 Debian 1 03-22-2005 09:57 PM
list of the world wide user of firewalls satishsalve Linux - Networking 1 09-13-2004 07:02 PM
Read this and realize how far away Linux is from being a truly user friendly system chem1 General 28 03-03-2004 06:44 AM


All times are GMT -5. The time now is 09:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration