Originally posted by puffinman
Have you checked out any example sudoers files? sudo has lots and lots of options, so I'm sure you could accomplish anything you wanted. Check out this example page. Also, I think it's generally best to limit access unless told otherwise, rather than the reverse. If you really want to prevent people from seeing these files, you need to make sure that nothing they can run will enable them to use root priveleges to change ownership or permissions, or edit files: no shells, editors, etc. This can be tricky unless you specify exactly what people can and can't run.
Only problem is...
I don't want them to be able to edit a few files (i.e. configuration files) that pertain to these protected set of applications ether -- however, they should be able to edit other configuration files on the system.
Let me give a little better breakdown of what I am trying to accomplish....
These users are webmasters and departmental heads. They all have UNIX knowledge and experience with LINUX/Unix systems. However, the proxy and content filtering solution I have in place (Squid/Dansguardian) can be bypassed by placing IP Addresses in the excludeipaddress file. I have found that people routinely manipulate these diles to be excluded from filtering
I know that it's a user education issue (and security ruleset enforcement issue); however, these people need to also be able to perform they're job functions as well -- and sometimes installing .ASP/J2EE/PHP scripts require the usage of elevated privliges.
I was hoping SUDO would allow me to give them access to perform they're jobs and still keep these applications/configuration files in a state that I can control.
If there is another way to get the functionality I need, I'm not stuck on SUDO. I saw Solaris 10 Zones might allow me to assign them user roles -- perhaps that's the way to go?