[SOLVED] Using sudo to give read access to specific directory

savona · 04-29-2011, 07:48 AM

I have a log server that collects logs from all the cisco devices on our network. The company policy states that any logs should only be accessible by root. So I have the following permissions set on the directory, as well as everything inside the directory where the cisco logs are kept.

Code:

drwx------ 65 root root   4096 Apr 29 7:38 rsyslog

The cisco folks are requesting access to these logs, which is allowed by company policy. Now here is where it gets complicated. I need to give the cisco folks access to the logs without, 1 giving them access to root, 2 changing the permissions on the files.

So I was thinking, is there anyway I can give them access through sudo? I know you can limit sudo to certain commands, is there a way I can use sudo to give them read access to the above directory?

T3RM1NVT0R · 04-29-2011, 08:06 AM

Hi savona,

You can use acl to limit their access. You don't have to give them sudo access.

To use acl you have to enable the partition for acl.

Let me know on which partition and directory under which these logs are located is mounted and output of your /etc/fstab so that I can have a look on which partition you need to set acl option.

savona · 04-29-2011, 08:12 AM

Hope this helps.

Directory is /var/log/rsyslog which is under the / filesystem.

Code:

# cat /etc/fstab
/dev/VG0/LV0            /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VG0/LV1            swap                    swap    defaults        0 0

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VG0-LV0    62G  5.4G   54G  10% /
/dev/sda1              99M   27M   68M  29% /boot
tmpfs                1005M     0 1005M   0% /dev/shm

T3RM1NVT0R · 04-29-2011, 08:33 AM

From the out put it appears that you have not configured your /var directory on a separate device and it is there on / as you mentioned

Usually acl is set on home directories and shared directories but in this case you have to set it on /.

You can set up the acl by editing /etc/fstab:

/dev/VG0/LV0 / ext3 defaults 1 1

to

/dev/VG0/LV0 / ext3 defaults,acl 1 1

After making the modifications reboot the system and then use setfacl option to setup acl on /var/log/rsyslog

Command to set up acl is as follows:

setfacl -m user:username:rwx /var/log/rsyslog
setfacl -m mask:rwx /var/log/rsyslog

where,

rwx= read, write, execute
user will be the switch
username will be the username of the user whom you want to give access

To verify if the acl you set is working type getfacl /var/log/rsyslog

Edit:: Make sure you take backup of /etc/fstab before making any modifications.

Reuti · 04-29-2011, 08:39 AM

In a mathematical sense you are bypassing the requirement:

Quote:

The company policy states that any logs should only be accessible by root.

when you use an ACL to give other users access to it. It can be done with sudo though:

Code:

Cmnd_Alias LIST = /usr/bin/less /var/rsyslog/messages
%cisco ALL = (root) NOPASSWD: LIST

in /etc/sudoers.

T3RM1NVT0R · 04-29-2011, 08:45 AM

@ Reuti

Quote:

The cisco folks are requesting access to these logs, which is allowed by company policy. Now here is where it gets complicated. I need to give the cisco folks access to the logs without, 1 giving them access to root, 2 changing the permissions on the files.

If we will give them access using sudoers I think that will give them little more than what they require :-)

savona · 04-29-2011, 08:47 AM

Quote:

Originally Posted by Reuti

In a mathematical sense you are bypassing the requirement:when you use an ACL to give other users access to it. It can be done with sudo though:

Code:

Cmnd_Alias LIST = /usr/bin/less /var/rsyslog/messages
%cisco ALL = (root) NOPASSWD: LIST

in /etc/sudoers.

I am going to do a write up on both possibilities and present them to my boss. I will let him make the decision on how this should be done, or at least give him the option to make the decision.

@T3RM1NVT0R Thank you kindly for this, I think this is the way we will go.

@Reuti inside the /var/log/rsyslog directory is about 50 directories, on for each cisco device on the network. Is there a way to use a wild card to give them sudo access to all those directories under /var/log/rsyslog?

for example:

Code:

Cmnd_Alias LIST = /usr/bin/less /var/rsyslog/*
%cisco ALL = (root) NOPASSWD: LIST

Also, using sudo in this way would limit them to using less correct? They would not be able to tail, cat, etc...

Reuti · 04-29-2011, 09:07 AM

Yes, you can use an asterisk but it would allow them to specify: /var/rsyslog/../spool/anyfile It would be more safe to list the exact file. You can use the shell's matching of wildcards though. Maybe all sub-directories start with the same prefix or so.

Yes, it's exactly one command you allow. You can specify more in the Cmnd_Alias and separate them by a comma or define another Cmnd_Alias.

savona · 04-29-2011, 09:59 AM

Quote:

Originally Posted by T3RM1NVT0R

From the out put it appears that you have not configured your /var directory on a separate device and it is there on / as you mentioned

Usually acl is set on home directories and shared directories but in this case you have to set it on /.

You can set up the acl by editing /etc/fstab:

/dev/VG0/LV0 / ext3 defaults 1 1

to

/dev/VG0/LV0 / ext3 defaults,acl 1 1

After making the modifications reboot the system and then use setfacl option to setup acl on /var/log/rsyslog

Command to set up acl is as follows:

setfacl -m user:username:rwx /var/log/rsyslog
setfacl -m mask:rwx /var/log/rsyslog

where,

rwx= read, write, execute
user will be the switch
username will be the username of the user whom you want to give access

To verify if the acl you set is working type getfacl /var/log/rsyslog

Edit:: Make sure you take backup of /etc/fstab before making any modifications.

I have change the options in /etc/fstab and remounted. I have added the acl with the setfacl command but we do not want them to have write permissions so I used r-x only.

Code:

# getfacl rsyslog/
# file: rsyslog
# owner: root
# group: root
user::rw-
user:test:r-x
group::---
mask::r-x
other::---

The user is still not able to cd to that directory, or list its content.

Code:

[test@logserv ~]$ cd /var/log/rsyslog 
-bash: cd: /var/log/rsyslog: Permission denied

Any ideas?

Reuti · 04-29-2011, 10:18 AM

Are all upper directories in the path accessible too?

orgcandman · 04-29-2011, 10:24 AM

Quote:

The company policy states that any logs should only be accessible by root

Who wrote that policy? What that means, if I'm reading correctly, is that you must give root to cisco in order for them to access the logs.

If it's allowed to give them access, then do it the right way, make a group called "logreaders" and add the cisco user to that group. then change the ownership/permissions so it looks like:

Code:

drwxr-x--- 65 root logreaders 4096 Apr 29 7:38 rsyslog/
-rw-r----- XX root logreaders <=========  everything under rsyslog/

Then your cisco user need only do:

Code:

cat /var/log/rsyslog/XXXXX

Doing it with sudo is dangerous. I can think of a number of bypasses that can be effectively carried out with a sudoers that will be written in a hasty manner.

savona · 04-29-2011, 10:27 AM

Quote:

Originally Posted by Reuti

Are all upper directories in the path accessible too?

Thanks, I got it working. Had to allow /var and /var/log as well!

T3RM1NVT0R · 04-29-2011, 11:43 AM

Hi savona,

Am glad that it is working :-)

Have a nice weekend to all!!!

jashar · 01-30-2012, 09:21 PM

I've found that using setfacl also changes the base entry of the group, and some programs check for this (for security). Is there any way to give access to a second user without giving access to a group? Thanks.

Reuti · 01-31-2012, 10:50 AM

@jashar: Can you please create a new thread with this question and put examples there what you are referring to in detail.