Using sudo to give read access to specific directory
I have a log server that collects logs from all the cisco devices on our network. The company policy states that any logs should only be accessible by root. So I have the following permissions set on the directory, as well as everything inside the directory where the cisco logs are kept.
Code:
drwx------ 65 root root 4096 Apr 29 7:38 rsyslog So I was thinking, is there anyway I can give them access through sudo? I know you can limit sudo to certain commands, is there a way I can use sudo to give them read access to the above directory? |
@ Reply
Hi savona,
You can use acl to limit their access. You don't have to give them sudo access. To use acl you have to enable the partition for acl. Let me know on which partition and directory under which these logs are located is mounted and output of your /etc/fstab so that I can have a look on which partition you need to set acl option. |
Hope this helps.
Directory is /var/log/rsyslog which is under the / filesystem. Code:
# cat /etc/fstab |
@ Reply
From the out put it appears that you have not configured your /var directory on a separate device and it is there on / as you mentioned
Usually acl is set on home directories and shared directories but in this case you have to set it on /. You can set up the acl by editing /etc/fstab: /dev/VG0/LV0 / ext3 defaults 1 1 to /dev/VG0/LV0 / ext3 defaults,acl 1 1 After making the modifications reboot the system and then use setfacl option to setup acl on /var/log/rsyslog Command to set up acl is as follows: setfacl -m user:username:rwx /var/log/rsyslog setfacl -m mask:rwx /var/log/rsyslog where, rwx= read, write, execute user will be the switch username will be the username of the user whom you want to give access To verify if the acl you set is working type getfacl /var/log/rsyslog Edit:: Make sure you take backup of /etc/fstab before making any modifications. |
In a mathematical sense you are bypassing the requirement:
Quote:
Code:
Cmnd_Alias LIST = /usr/bin/less /var/rsyslog/messages |
@ Reply
@ Reuti
Quote:
|
Quote:
@T3RM1NVT0R Thank you kindly for this, I think this is the way we will go. @Reuti inside the /var/log/rsyslog directory is about 50 directories, on for each cisco device on the network. Is there a way to use a wild card to give them sudo access to all those directories under /var/log/rsyslog? for example: Code:
Cmnd_Alias LIST = /usr/bin/less /var/rsyslog/* |
Yes, you can use an asterisk but it would allow them to specify: /var/rsyslog/../spool/anyfile It would be more safe to list the exact file. You can use the shell's matching of wildcards though. Maybe all sub-directories start with the same prefix or so.
Yes, it's exactly one command you allow. You can specify more in the Cmnd_Alias and separate them by a comma or define another Cmnd_Alias. |
Quote:
I have change the options in /etc/fstab and remounted. I have added the acl with the setfacl command but we do not want them to have write permissions so I used r-x only. Code:
# getfacl rsyslog/ The user is still not able to cd to that directory, or list its content. Code:
[test@logserv ~]$ cd /var/log/rsyslog Any ideas? |
Are all upper directories in the path accessible too?
|
Quote:
If it's allowed to give them access, then do it the right way, make a group called "logreaders" and add the cisco user to that group. then change the ownership/permissions so it looks like: Code:
drwxr-x--- 65 root logreaders 4096 Apr 29 7:38 rsyslog/ Code:
cat /var/log/rsyslog/XXXXX |
Quote:
|
@ Reply
Hi savona,
Am glad that it is working :-) Have a nice weekend to all!!! |
setfacl without group?
I've found that using setfacl also changes the base entry of the group, and some programs check for this (for security). Is there any way to give access to a second user without giving access to a group? Thanks.
|
@jashar: Can you please create a new thread with this question and put examples there what you are referring to in detail.
|
All times are GMT -5. The time now is 05:55 PM. |