LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page system wide read only user?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-28-2009, 03:26 AM   #1
bobinabottle
LQ Newbie
 
Registered: Feb 2009
Posts: 1

Rep: Reputation: 0
system wide read only user?

Hi there,

Sorry, i'm not sure if this should be in the newbie forum or here..

Basically I'm running red hat linux and frequently access root via sudo. We have some external developers that need to be able to read system log files etc, but i dont want them to be able to change any system files.

Is there a way of writing up a sudoers file so that when they access sudo they can have read access to the entire filesystem but not be able to edit or execute anything?

I thought about using chmod for this, but thought it would mess up permissions for system programs.

If someone could help that would be great, thanks :-)
 
Old 02-28-2009, 06:11 AM   #2
niknah
Member
 
Registered: Dec 2002
Location: In front of a computer
Distribution: UPS, DHL, FedEx
Posts: 466

Rep: Reputation: 38
Use setfacl/getfacl instead of normal permissions.

This would let the "developers" group read access to all files...
setfacl -R -m g:developers:r-x /


But not all distributions have acls enabled, you may have to remount your filesystem first with...
mount / -o acl,remount
Last edited by niknah; 02-28-2009 at 06:21 AM.
 
Old 02-28-2009, 07:23 AM   #3
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,994

Rep: Reputation: 76
sudo can't be used for filesystem access directly: it only tells you which commands a user is allowed to run.

What you could do is to write a set of scripts that will let your developers read your system files, and configure sudo to only run those scripts. They could even be fairly simple scripts, i.e
Code:
#!/bin/bash
cat /var/log/messages
Another option would be to set up a read-only samba share containing the files, and give the developers password-protected access to that. That way, they don't even need shell access to the machine.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
kde system wide config bong.mau Linux - Software 8 06-09-2006 05:17 AM
System Wide Permission lmanwarren Linux - General 1 03-29-2005 08:15 PM
Changing system-wide buttons rossjman1 Debian 1 03-22-2005 08:57 PM
list of the world wide user of firewalls satishsalve Linux - Networking 1 09-13-2004 06:02 PM
Read this and realize how far away Linux is from being a truly user friendly system chem1 General 28 03-03-2004 05:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:39 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration