Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We are planning to setup a Role based access and security to our Linux servers. We can use mostly use sudo for providing the limited access to service and files.
My query is that how can we manage that members can edit/access only specific files (it would be 1 or multiple files or placed on multi location), This seems to be very hectic if can manage from sudo to add all the entries there.
Can you please let me know the better solution for this as we have a sub teams and that team would have multiple members working for various areas.
Basic users and groups along with file permissions are designed for this kind of control.
ACLs give you even more control.
What you do NOT want to do is give "sudo vi" or similar unless you've turned off shell escapes.
What we do here for many things is make them owned by an administrative account (e.g. developer, oracle, specialapp, etc...) then simply grant real users access to do "sudo su - <adminacct>". This will log which real user became that adminacct (but not what they did after they became that adminacct). We do not give out passwords for the adminacct itself. (i.e. No one can login directly as adminacct - they must use sudo). For most purposes if something occurs finding who most recently became that adminacct and looking at shell history lets us know what was done.
So in case you have to provide some of conf file under /etc [Samba,dns, apache,mysql,svn..etc] access to Linux admin so that they can edit the file and restart the services as well, then we have to change the group permission of these files to the group whose members can do so.
And these files and services will also be added to sudo as well ? If yes then you have to mention each file in sudo, which this group can change or alter
What I did for httpd.conf once was give the user his own copy of httpd.conf.
I then wrote a script that:
1) Saved the original /etc/httpd.conf to date stamped copy so I could back out if user screwed it up
2) Copied the user's modified httpd.conf to /etc
3) Set the permissions on the copy to what the original /etc/httpd.conf.
I gave the user access to run that script via sudo. Obviously you want to put the script in a secure location so the user can't edit.
User would update his copy as desired then do sudo to run the script to put his updates into the live /etc directory.
The beauty of this was it logged every time he put a new file in place.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.