[SOLVED] nopasswd in sudoers seemingly ignored

awreneau · 09-24-2021, 07:38 AM

I have a sudoers line to allow a group to view logs in a specific folder.

%groupname ALL=(ALL) NOPASSWD: /usr/bin/tail /path/to/files/*.log

when user executes the following:

sudo tail -f /path/to/files/this.log

they are still prompted for password.

visudo -f of the file does not report syntax error

thx for help

Turbocapitalist · 09-24-2021, 07:40 AM

What about the -f option for tail in /etc/sudoers?

awreneau · 09-24-2021, 09:05 AM

that fixed it! I thought that any switches were implied.

Thanks so much!

Turbocapitalist · 09-24-2021, 09:16 AM

No problem

The allowance of all options is only if there are no options given at all, but then that would allow them to use tail to examine any file anywhere on the system and that is probably not what you want.

Code:

%groupname ALL=(ALL) NOPASSWD: /usr/bin/tail

Another option is to make the log files readable by the group in question.

Code:

sudo chgrp groupname /path/to/files/this.log
sudo chmod g=r /path/to/files/this.log

Then you'd also have to adjust the configuration for logrotate to keep those changes. In that way, the requirement for sudo can be eliminated.