LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-29-2011, 08:48 AM   #1
savona
Member
 
Registered: Mar 2011
Location: Bellmawr, NJ
Distribution: Red Hat / Fedora
Posts: 194

Rep: Reputation: 50
Using sudo to give read access to specific directory


I have a log server that collects logs from all the cisco devices on our network. The company policy states that any logs should only be accessible by root. So I have the following permissions set on the directory, as well as everything inside the directory where the cisco logs are kept.

Code:
drwx------ 65 root root   4096 Apr 29 7:38 rsyslog
The cisco folks are requesting access to these logs, which is allowed by company policy. Now here is where it gets complicated. I need to give the cisco folks access to the logs without, 1 giving them access to root, 2 changing the permissions on the files.

So I was thinking, is there anyway I can give them access through sudo? I know you can limit sudo to certain commands, is there a way I can use sudo to give them read access to the above directory?
 
Old 04-29-2011, 09:06 AM   #2
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,790

Rep: Reputation: 324Reputation: 324Reputation: 324Reputation: 324
@ Reply

Hi savona,

You can use acl to limit their access. You don't have to give them sudo access.

To use acl you have to enable the partition for acl.

Let me know on which partition and directory under which these logs are located is mounted and output of your /etc/fstab so that I can have a look on which partition you need to set acl option.
 
1 members found this post helpful.
Old 04-29-2011, 09:12 AM   #3
savona
Member
 
Registered: Mar 2011
Location: Bellmawr, NJ
Distribution: Red Hat / Fedora
Posts: 194

Original Poster
Rep: Reputation: 50
Hope this helps.


Directory is /var/log/rsyslog which is under the / filesystem.

Code:
# cat /etc/fstab
/dev/VG0/LV0            /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VG0/LV1            swap                    swap    defaults        0 0

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VG0-LV0    62G  5.4G   54G  10% /
/dev/sda1              99M   27M   68M  29% /boot
tmpfs                1005M     0 1005M   0% /dev/shm
 
Old 04-29-2011, 09:33 AM   #4
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,790

Rep: Reputation: 324Reputation: 324Reputation: 324Reputation: 324
@ Reply

From the out put it appears that you have not configured your /var directory on a separate device and it is there on / as you mentioned

Usually acl is set on home directories and shared directories but in this case you have to set it on /.

You can set up the acl by editing /etc/fstab:

/dev/VG0/LV0 / ext3 defaults 1 1

to

/dev/VG0/LV0 / ext3 defaults,acl 1 1

After making the modifications reboot the system and then use setfacl option to setup acl on /var/log/rsyslog

Command to set up acl is as follows:

setfacl -m user:username:rwx /var/log/rsyslog
setfacl -m mask:rwx /var/log/rsyslog

where,

rwx= read, write, execute
user will be the switch
username will be the username of the user whom you want to give access

To verify if the acl you set is working type getfacl /var/log/rsyslog

Edit:: Make sure you take backup of /etc/fstab before making any modifications.

Last edited by T3RM1NVT0R; 04-29-2011 at 09:42 AM.
 
1 members found this post helpful.
Old 04-29-2011, 09:39 AM   #5
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
In a mathematical sense you are bypassing the requirement:
Quote:
The company policy states that any logs should only be accessible by root.
when you use an ACL to give other users access to it. It can be done with sudo though:
Code:
Cmnd_Alias LIST = /usr/bin/less /var/rsyslog/messages
%cisco ALL = (root) NOPASSWD: LIST
in /etc/sudoers.
 
Old 04-29-2011, 09:45 AM   #6
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,790

Rep: Reputation: 324Reputation: 324Reputation: 324Reputation: 324
@ Reply

@ Reuti

Quote:
The cisco folks are requesting access to these logs, which is allowed by company policy. Now here is where it gets complicated. I need to give the cisco folks access to the logs without, 1 giving them access to root, 2 changing the permissions on the files.
If we will give them access using sudoers I think that will give them little more than what they require :-)
 
Old 04-29-2011, 09:47 AM   #7
savona
Member
 
Registered: Mar 2011
Location: Bellmawr, NJ
Distribution: Red Hat / Fedora
Posts: 194

Original Poster
Rep: Reputation: 50
Quote:
Originally Posted by Reuti View Post
In a mathematical sense you are bypassing the requirement:when you use an ACL to give other users access to it. It can be done with sudo though:
Code:
Cmnd_Alias LIST = /usr/bin/less /var/rsyslog/messages
%cisco ALL = (root) NOPASSWD: LIST
in /etc/sudoers.
I am going to do a write up on both possibilities and present them to my boss. I will let him make the decision on how this should be done, or at least give him the option to make the decision.

@T3RM1NVT0R Thank you kindly for this, I think this is the way we will go.

@Reuti inside the /var/log/rsyslog directory is about 50 directories, on for each cisco device on the network. Is there a way to use a wild card to give them sudo access to all those directories under /var/log/rsyslog?

for example:
Code:
Cmnd_Alias LIST = /usr/bin/less /var/rsyslog/*
%cisco ALL = (root) NOPASSWD: LIST
Also, using sudo in this way would limit them to using less correct? They would not be able to tail, cat, etc...
 
Old 04-29-2011, 10:07 AM   #8
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
Yes, you can use an asterisk but it would allow them to specify: /var/rsyslog/../spool/anyfile It would be more safe to list the exact file. You can use the shell's matching of wildcards though. Maybe all sub-directories start with the same prefix or so.

Yes, it's exactly one command you allow. You can specify more in the Cmnd_Alias and separate them by a comma or define another Cmnd_Alias.
 
Old 04-29-2011, 10:59 AM   #9
savona
Member
 
Registered: Mar 2011
Location: Bellmawr, NJ
Distribution: Red Hat / Fedora
Posts: 194

Original Poster
Rep: Reputation: 50
Quote:
Originally Posted by T3RM1NVT0R View Post
From the out put it appears that you have not configured your /var directory on a separate device and it is there on / as you mentioned

Usually acl is set on home directories and shared directories but in this case you have to set it on /.

You can set up the acl by editing /etc/fstab:

/dev/VG0/LV0 / ext3 defaults 1 1

to

/dev/VG0/LV0 / ext3 defaults,acl 1 1

After making the modifications reboot the system and then use setfacl option to setup acl on /var/log/rsyslog

Command to set up acl is as follows:

setfacl -m user:username:rwx /var/log/rsyslog
setfacl -m mask:rwx /var/log/rsyslog

where,

rwx= read, write, execute
user will be the switch
username will be the username of the user whom you want to give access

To verify if the acl you set is working type getfacl /var/log/rsyslog

Edit:: Make sure you take backup of /etc/fstab before making any modifications.


I have change the options in /etc/fstab and remounted. I have added the acl with the setfacl command but we do not want them to have write permissions so I used r-x only.

Code:
# getfacl rsyslog/
# file: rsyslog
# owner: root
# group: root
user::rw-
user:test:r-x
group::---
mask::r-x
other::---

The user is still not able to cd to that directory, or list its content.


Code:
[test@logserv ~]$ cd /var/log/rsyslog 
-bash: cd: /var/log/rsyslog: Permission denied

Any ideas?
 
Old 04-29-2011, 11:18 AM   #10
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
Are all upper directories in the path accessible too?
 
Old 04-29-2011, 11:24 AM   #11
orgcandman
Member
 
Registered: May 2002
Location: dracut MA
Distribution: Ubuntu; PNE-LE; LFS (no book)
Posts: 594

Rep: Reputation: 102Reputation: 102
Quote:
The company policy states that any logs should only be accessible by root
Who wrote that policy? What that means, if I'm reading correctly, is that you must give root to cisco in order for them to access the logs.

If it's allowed to give them access, then do it the right way, make a group called "logreaders" and add the cisco user to that group. then change the ownership/permissions so it looks like:

Code:
drwxr-x--- 65 root logreaders 4096 Apr 29 7:38 rsyslog/
-rw-r----- XX root logreaders <=========  everything under rsyslog/
Then your cisco user need only do:
Code:
cat /var/log/rsyslog/XXXXX
Doing it with sudo is dangerous. I can think of a number of bypasses that can be effectively carried out with a sudoers that will be written in a hasty manner.
 
Old 04-29-2011, 11:27 AM   #12
savona
Member
 
Registered: Mar 2011
Location: Bellmawr, NJ
Distribution: Red Hat / Fedora
Posts: 194

Original Poster
Rep: Reputation: 50
Quote:
Originally Posted by Reuti View Post
Are all upper directories in the path accessible too?
Thanks, I got it working. Had to allow /var and /var/log as well!
 
Old 04-29-2011, 12:43 PM   #13
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, Ubuntu, SLES, CentOS
Posts: 1,790

Rep: Reputation: 324Reputation: 324Reputation: 324Reputation: 324
@ Reply

Hi savona,

Am glad that it is working :-)

Have a nice weekend to all!!!

Last edited by T3RM1NVT0R; 04-29-2011 at 12:44 PM.
 
Old 01-30-2012, 10:21 PM   #14
jashar
LQ Newbie
 
Registered: May 2007
Posts: 5

Rep: Reputation: 0
setfacl without group?

I've found that using setfacl also changes the base entry of the group, and some programs check for this (for security). Is there any way to give access to a second user without giving access to a group? Thanks.
 
Old 01-31-2012, 11:50 AM   #15
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
@jashar: Can you please create a new thread with this question and put examples there what you are referring to in detail.
 
  


Reply

Tags
access, directory, sudo


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
can i give directory permission to a group and not specific user? SamuraiCoder Linux - Newbie 5 05-26-2010 05:23 PM
How to allow read access to all users and writes to some specific with apache/webdav? polik Linux - Server 5 03-12-2009 07:30 AM
how to give all users read/write access to a file in the Firefox profile folder 7trek Fedora 2 11-25-2007 06:09 PM
Give root access to user's display + sudo problems Ephracis Linux - General 12 01-12-2006 12:25 AM
Access directory from specific IP mikeshn Linux - General 1 12-19-2003 02:57 PM


All times are GMT -5. The time now is 12:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration