LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Open file using sudo (https://www.linuxquestions.org/questions/linux-newbie-8/open-file-using-sudo-4175423616/)

abhinav4 08-23-2012 09:23 AM

Open file using sudo
 
I have a file "abc" which has 700 permission.
I want to set something in sudoers file so that a user "somename" have full privilege to it.

*What are the best practices to perform the above task.

byannoni 08-23-2012 09:26 AM

I don't think you can do that in sudoers, but you can do this:
Code:

chown somename abc

abhinav4 08-23-2012 09:36 AM

Wee it seems that sudoers file is used only to gain access to some commands. but it cannot be used to give permission to a user to modify the contents of a file :(

TB0ne 08-23-2012 10:45 AM

Quote:

Originally Posted by abhinav4 (Post 4762178)
Wee it seems that sudoers file is used only to gain access to some commands. but it cannot be used to give permission to a user to modify the contents of a file :(

Right...so why can't you do what you want, since you just (essentially) said that sudo can do it?

Give ONE user permission to use ONE command. That command can be "vi <some file name>". Change the ownership of the file to only allow root to access it, so then either root or that one user (via "sudo vi <some file name>") can edit it.

jefro 08-23-2012 03:09 PM

I think I'd have changed the group or owner to this user so that they could do some task before I gave them sudo.

TB0ne 08-23-2012 03:18 PM

Quote:

Originally Posted by jefro (Post 4762473)
I think I'd have changed the group or owner to this user so that they could do some task before I gave them sudo.

That's another way to do it, which will work just fine, too. However, I tend to lean towards sudo for things just like this, mainly because of the auditing purposes. A user can modify/delete their shell history, but (if you only give them sudo rights for ONE COMMAND), can't edit the sudo logs, and you can see what they did, and when.

The same thing can be accomplished either way, though, but the OP did ask about sudo specifically.

chrism01 08-23-2012 05:58 PM

Unfortunately, tools like vi enable you to escape to the shell, then all bets are off ...
I'd go with user or group ownership & set the perms as needed or (more fine-grained) use an ACL.

byannoni 08-23-2012 06:04 PM

Quote:

Originally Posted by chrism01 (Post 4762576)
Unfortunately, tools like vi enable you to escape to the shell, then all bets are off ...
I'd go with user or group ownership & set the perms as needed or (more fine-grained) use an ACL.

That is a good point, but:
Quote:

Originally Posted by TB0ne (Post 4762482)
if you only give them sudo rights for ONE COMMAND

Don't give them a command that will let them escape to the shell. Be careful, but if you know what you're doing, you won't have that problem.

chrism01 08-23-2012 06:16 PM

Quote:

I want to set something in sudoers file so that a user "somename" have full privilege to it.
Need the OP to define 'full privilege'.

In any case my point stand; sudo is designed to control what cmds/tools you can run.
It cannot protect files and many cmds have a way to break out into the shell, even if its just ctrl-C or similar.
See the Security Notes here http://linux.die.net/man/8/sudo

abhinav4 08-24-2012 06:02 AM

Quote:

somename ALL=/root/abc
Putting above line in sudoers file made me achieve what i was trying, and I do not think it is a security hole.

iamwilliam 08-24-2012 07:39 AM

I think you need to use FACL (File Access Lists) to achieve what you want.

You need to make sure that the filesystem has been mounted with the acl option.

Code:

[root@docserver ~]# cat /etc/fstab
/dev/VolGroup00/LogVol00 /                      ext3    defaults,acl        1 1
LABEL=/boot            /boot                  ext3    defaults        1 2

Remount the filesystem
Code:

mount -o remount /
Verify the options have been applied
Code:

[root@server ~]# mount -l
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw,acl)

Now user2 has "full control" over secretfile
Code:

setfacl -m u:user2:x /home/user1/
 setfacl -m u:user2:rwx /home/user1/secretfile


abhinav4 08-24-2012 08:43 AM

Quote:

Originally Posted by iamwilliam (Post 4763041)
I think you need to use FACL (File Access Lists) to achieve what you want.

You need to make sure that the filesystem has been mounted with the acl option.

Code:

[root@docserver ~]# cat /etc/fstab
/dev/VolGroup00/LogVol00 /                      ext3    defaults,acl        1 1
LABEL=/boot            /boot                  ext3    defaults        1 2

Remount the filesystem
Code:

mount -o remount /
Verify the options have been applied
Code:

[root@server ~]# mount -l
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw,acl)

Now user2 has "full control" over secretfile
Code:

setfacl -m u:user2:x /home/user1/
 setfacl -m u:user2:rwx /home/user1/secretfile


Thanks but the whole question was to do it from sudoers file :)


All times are GMT -5. The time now is 10:11 PM.