[SOLVED] Using sudoers to restrict editing of certain files

hackaway · 08-02-2010, 09:27 PM

In a recent discussion I had, I was led to believe I could use sudoers to restrict using vi (for example) for the editing of say specific config files. I know how to allow root use of vi and how to lock it down from getting to a bash prompt with NOEXEC tag, but I can't figure out how to restrict the use of vi to only edit certain files. Tutorials and howtos I have checked don't address this. Any ideas?

TIA

GlennsPref · 08-02-2010, 10:42 PM

Quote:

Hi, Welcome to LQ!

LQ has a fantastic search function that may save you time waiting for an answer to a popular question.

With over 4 million posts to search it's possible the answer has been given.

Not too sure, But...

If you make to files writeable only by the root user, The general user may not save the file on site.

I found a comprehensive article on this, (using an alias for a program name)

http://linuxshellaccount.blogspot.co...tricks-in.html

Aside from that, I use sudo in the opposite way, that is to give me root access through sudo and the wheel group.

When editing /etc/sudoers, su -p and enter root password.

the -p will Preserve Permissions on the file for security integrity.

/etc/sudoers...

Code:

# sudoers file.
....

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification
root	ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel	ALL=(ALL) ALL

# Same thing without a password
%wheel	ALL=(ALL) NOPASSWD: ALL

# Samples
%users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
%users  localhost=/sbin/shutdown -h now

This part...

Code:

# Uncomment to allow people in group wheel to run all commands
# %wheel	ALL=(ALL) ALL

you may add your user name and then by adding yourself to the wheel group have access to root privs without su'ing to root.

I'm sure you may do this for programs and applications too, and is covered in the url above.

Hope this helps, Glenn

estabroo · 08-02-2010, 10:47 PM

I believe you can list what they are allowed to edit when you specify them in the sudoers

for example

username ALL = /usr/bin/vi /etc/group, /usr/bin/vi /etc/fstab

which would let username edit those files but nothing else

GlennsPref · 08-04-2010, 04:04 AM

Another thought, "Parental Control".

Mandriva package manager info...

Quote:

drakguard - Parental control tool
Notice: This is an official package supported by Mandriva

This tool allows to configure parental control. It can block access to web sites and restrict connection during a specified timeframe.

Mandriva Blog.ref: http://blog.mandriva.com/

Quote:

"Parental control allows you now to not only check web sites but also applications used by your children"

A net-nanny type program...
other ref. http://rpm.pbone.net/index.php3/stat....i586.rpm.html

unSpawn · 08-05-2010, 06:18 PM

Quote:

Originally Posted by GlennsPref

It can block access to web sites and restrict connection during a specified timeframe.

How does this relate to the OP's question of "use sudoers to restrict using vi (for example) for the editing of say specific config files"?

GlennsPref · 08-05-2010, 11:27 PM

<edit>You're quite right, unSpawn(about Vi)</edit>
(but in my defence....)
That was a quote from the package manager that I referenced after I looked at the MandrivaBlog and noticed the "netnanny-type-program" had the function of restricting access to programs. (I thought I referenced it....)

Simply, you can stop basic-users, like children, flatmates, or workmates, and subordinates from being able to access certain programs. Just an option I thought of.

Sometimes simple is ample.

I probably wouldn't use this kind of thing for my college mates, but you know, just trying to give solutions/answers. In fact it merely adds to what I have posted.

Regards Glenn

It's pretty simple anyway, just make yourself part of the wheel group, and make sure no-one else is. Then setup /etc/sudoers to suit.

As you know, just 'cause I can read a file, does not mean I can edit it in place.

LVsFINEST · 08-06-2010, 05:09 AM

It should be noted that you should not ever edit the /etc/sudoers file directly. Use the visudo command, hopefully your disto has that or similar.

I believe estabroo's example is correct syntax. To restrict files, use a "!":

Code:

username ALL = /usr/bin/vi !/etc/group, /usr/bin/vi !/etc/fstab

hackaway · 08-14-2010, 06:43 AM

Thank you all for your suggestions. Very helpful!!

Dave