[SOLVED] Using sudoers to restrict editing of certain files
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Using sudoers to restrict editing of certain files
In a recent discussion I had, I was led to believe I could use sudoers to restrict using vi (for example) for the editing of say specific config files. I know how to allow root use of vi and how to lock it down from getting to a bash prompt with NOEXEC tag, but I can't figure out how to restrict the use of vi to only edit certain files. Tutorials and howtos I have checked don't address this. Any ideas?
Aside from that, I use sudo in the opposite way, that is to give me root access through sudo and the wheel group.
When editing /etc/sudoers, su -p and enter root password.
the -p will Preserve Permissions on the file for security integrity.
/etc/sudoers...
Code:
# sudoers file.
....
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# Runas alias specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
# Samples
%users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
%users localhost=/sbin/shutdown -h now
This part...
Code:
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
you may add your user name and then by adding yourself to the wheel group have access to root privs without su'ing to root.
I'm sure you may do this for programs and applications too, and is covered in the url above.
<edit>You're quite right, unSpawn(about Vi)</edit>
(but in my defence....)
That was a quote from the package manager that I referenced after I looked at the MandrivaBlog and noticed the "netnanny-type-program" had the function of restricting access to programs. (I thought I referenced it....)
Simply, you can stop basic-users, like children, flatmates, or workmates, and subordinates from being able to access certain programs. Just an option I thought of.
Sometimes simple is ample.
I probably wouldn't use this kind of thing for my college mates, but you know, just trying to give solutions/answers. In fact it merely adds to what I have posted.
Regards Glenn
It's pretty simple anyway, just make yourself part of the wheel group, and make sure no-one else is. Then setup /etc/sudoers to suit.
As you know, just 'cause I can read a file, does not mean I can edit it in place.
Last edited by GlennsPref; 08-05-2010 at 11:44 PM.
Reason: spelling, my defence
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.