The user zamo is a member of the secondary group admin .
The files and directories under /var/dir1/* are owned by admin:admin .

Since user zamo is a member of the admin , he can allow to rwx to the files and directories beneath /var/dir1/* .

I cannot turn on acl here . .What will be the best way to give zamo with read-only access to /var/dir1/* ? Is there a way to do that in sudo ?

I believe your options are:

1. remove zamo from admin group
2. create a new group that owns /var/dir1 and exclude zamo from that group


I cannot think of any way to use `sudo` to restrict zamo from writing to a directory. The purpose of `sudo` is to, as its man page says "execute a command as another user" so I don't think that will help you.


I've had to do some file permission things like this, and what I ended up doing was using a LOT of groups. Like 15 groups, sometimes one group just for one directory. It worked out pretty well, actually.

No, sudo can't withdraw file permissions. Sudo only grants permission to do things.
But you can change the permissions for group admin, so zamo only has read access.
If you can't do that you'll either have to remove zamo from group admin, or change group on /var/dir1/*

Thanks , I want to make sure am on the right page .