Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 05-29-2019, 08:29 PM   #1
LQ Newbie
Registered: May 2019
Posts: 1

Rep: Reputation: Disabled
Creating a sudo group that provides read access but prevents reboot

I am fairly new to Linux and have been playing around with Ubuntu. I am trying to create a sudo group that provides read access to all files but at the same time prevents the ability to edit files owned by root and prevents any reboots. Can anyone help me figure out how I can go about doing this?

Thank you!
Old 05-29-2019, 10:21 PM   #2
Senior Member
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,424
Blog Entries: 3

Rep: Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201

You'll want to read up a little on configuring sudo. It can give a fine level of control, if configured wisely. The manual page, see "man sudoers", is the authoritative reference but manual pages not are not intended to be tutorials. So you'll need to find supplementary material when getting started. I'd recommend Michael W Lucas' talk "sudo: You're Doing It Wrong", which is available as slides or video. It's long but worth the content.

The gist is that through configuring /etc/sudoers, you can limit groups to running specific programs with specific options. If you really want that locked down, then cat is the bare minimum. The following allows any account in the group "readers" to read any file on the system:

%readers ALL=(root:root) /bin/cat
As in sudo cat /path/to/some/file | less

Or you are probably just as safe running a pager, but with shell escapes disabled:

%readers ALL=(root:root) NOEXEC: /usr/bin/more, /usr/bin/less
Look up the syntax, especially the NOEXEC: modifying, for the above in the manual page for sudoers. Be sure to use visudo for editing the configuration file. It won't prevent all problems but will at least ensure that the syntax is ok.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ATA password prevents reboot ernstlenzer Linux - Software 4 05-18-2014 07:00 AM
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 02:36 AM
Block bitmap for group 416 not in group (block 0) + group descriptors corrupted? quanta Linux - Server 1 12-08-2010 11:40 AM
group: add complete group into other group max_mad SUSE / openSUSE 1 04-12-2006 02:43 AM
Group Admin, Group Root, or God over Group crickett Linux - General 5 07-12-2004 05:01 PM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:18 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration