LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 08-11-2005, 02:41 PM   #1
TPAWired
LQ Newbie
 
Registered: Aug 2005
Posts: 2

Rep: Reputation: 0
Angry SUDO Command help


Howdy Friends:

I'm trying to figure out a way to do this and not loose my sanity completely. I'd like to use SUDO to allow certain people SU access (webmasters, department administrators -- all trusted and educated linux people); however there are a few files that I would *NOT* like them to ever be able to touch.

Again; these users would be allowed to do anything on the system that the root user would be able to do, except be able to execute, edit, or modify a certain (small) list of files.

ANY AND ALL help with this would be very much appreciated and welcomed.

Thanks!

TPAWired
 
Old 08-11-2005, 03:36 PM   #2
puffinman
Member
 
Registered: Jan 2005
Location: Atlanta, GA
Distribution: Gentoo, Slackware
Posts: 217

Rep: Reputation: 30
Have you checked out any example sudoers files? sudo has lots and lots of options, so I'm sure you could accomplish anything you wanted. Check out this example page. Also, I think it's generally best to limit access unless told otherwise, rather than the reverse. If you really want to prevent people from seeing these files, you need to make sure that nothing they can run will enable them to use root priveleges to change ownership or permissions, or edit files: no shells, editors, etc. This can be tricky unless you specify exactly what people can and can't run.
 
Old 08-15-2005, 12:34 PM   #3
TPAWired
LQ Newbie
 
Registered: Aug 2005
Posts: 2

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by puffinman
Have you checked out any example sudoers files? sudo has lots and lots of options, so I'm sure you could accomplish anything you wanted. Check out this example page. Also, I think it's generally best to limit access unless told otherwise, rather than the reverse. If you really want to prevent people from seeing these files, you need to make sure that nothing they can run will enable them to use root priveleges to change ownership or permissions, or edit files: no shells, editors, etc. This can be tricky unless you specify exactly what people can and can't run.
Only problem is...

I don't want them to be able to edit a few files (i.e. configuration files) that pertain to these protected set of applications ether -- however, they should be able to edit other configuration files on the system.

Let me give a little better breakdown of what I am trying to accomplish....

These users are webmasters and departmental heads. They all have UNIX knowledge and experience with LINUX/Unix systems. However, the proxy and content filtering solution I have in place (Squid/Dansguardian) can be bypassed by placing IP Addresses in the excludeipaddress file. I have found that people routinely manipulate these diles to be excluded from filtering

I know that it's a user education issue (and security ruleset enforcement issue); however, these people need to also be able to perform they're job functions as well -- and sometimes installing .ASP/J2EE/PHP scripts require the usage of elevated privliges.

I was hoping SUDO would allow me to give them access to perform they're jobs and still keep these applications/configuration files in a state that I can control.

If there is another way to get the functionality I need, I'm not stuck on SUDO. I saw Solaris 10 Zones might allow me to assign them user roles -- perhaps that's the way to go?
 
Old 08-15-2005, 01:50 PM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,978
Blog Entries: 11

Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
Well, you can always be VERY specific in what rights
you grant them via sudo, e.g. admin=/usr/bin/vim /etc/passwd,
admin=/usr/bin/vim /etc/shadow, ... another approach would
be to put all those guys into a group admin, make admin
owner of the files they CAN modify with a 770, and give
admin 700 for those particular files and the directory that
holds them. May mean that you have to do some shuffling
of config files, though, depending on how you've set-up
the machine.


Cheers,
Tink
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't perform root command by using Sudo acbenny Linux - General 6 05-07-2008 08:19 PM
can't run app w/ sudo command fatblueduck Linux - Software 2 09-30-2005 07:39 PM
sudo command not working startproc cmd not found Imajica21 Linux - General 2 04-14-2005 01:22 PM
sudo command usage??? pagadala_cs Linux - Software 1 12-24-2004 10:13 AM
sudo: readme : command not found vishal.thorat Linux - Security 3 07-17-2003 05:56 PM


All times are GMT -5. The time now is 09:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration