Howdy Friends:

I'm trying to figure out a way to do this and not loose my sanity completely. I'd like to use SUDO to allow certain people SU access (webmasters, department administrators -- all trusted and educated linux people); however there are a few files that I would *NOT* like them to ever be able to touch.

Again; these users would be allowed to do anything on the system that the root user would be able to do, except be able to execute, edit, or modify a certain (small) list of files.

ANY AND ALL help with this would be very much appreciated and welcomed.

Thanks!

TPAWired

Have you checked out any example sudoers files? sudo has lots and lots of options, so I'm sure you could accomplish anything you wanted. Check out this example page. Also, I think it's generally best to limit access unless told otherwise, rather than the reverse. If you really want to prevent people from seeing these files, you need to make sure that nothing they can run will enable them to use root priveleges to change ownership or permissions, or edit files: no shells, editors, etc. This can be tricky unless you specify exactly what people can and can't run.

Only problem is...

I don't want them to be able to edit a few files (i.e. configuration files) that pertain to these protected set of applications ether -- however, they should be able to edit other configuration files on the system.

Let me give a little better breakdown of what I am trying to accomplish....

These users are webmasters and departmental heads. They all have UNIX knowledge and experience with LINUX/Unix systems. However, the proxy and content filtering solution I have in place (Squid/Dansguardian) can be bypassed by placing IP Addresses in the excludeipaddress file. I have found that people routinely manipulate these diles to be excluded from filtering

I know that it's a user education issue (and security ruleset enforcement issue); however, these people need to also be able to perform they're job functions as well -- and sometimes installing .ASP/J2EE/PHP scripts require the usage of elevated privliges.

I was hoping SUDO would allow me to give them access to perform they're jobs and still keep these applications/configuration files in a state that I can control.

If there is another way to get the functionality I need, I'm not stuck on SUDO. I saw Solaris 10 Zones might allow me to assign them user roles -- perhaps that's the way to go?

Well, you can always be VERY specific in what rights
you grant them via sudo, e.g. admin=/usr/bin/vim /etc/passwd,
admin=/usr/bin/vim /etc/shadow, ... another approach would
be to put all those guys into a group admin, make admin
owner of the files they CAN modify with a 770, and give
admin 700 for those particular files and the directory that
holds them. May mean that you have to do some shuffling
of config files, though, depending on how you've set-up
the machine.


Cheers,
Tink