Hi all,

in my current organisation we planned to remove "root" access for all system admins & implement "sudo" to perform daily day to day task.

everything is working fine for us except we are using application that is sms gateway called "kannel". at the time of setup old sysadmins installed it in "/root" directory. path is "/root/kannel/gatewate-x.x.x/gw/".

when we want to restart the application we first switch to above mentioned directory & then we use command "bearbox -v 0 smskannel.conf" & "smsbox -v 0 smskannel.conf" with using root login. works perfect with it.

in "/etc/sudoers" file i created one group called "SYSADMINS" & mentioned our names.

later created alias as below =
Cmnd_Alias KANNEL = /root/kannel/gatewate-x.x.x/gw/bearbox -v 0 /root/kannel/gatewate-x.x.x/gw/smskannel.conf /root/kannel/gatewate-x.x.x/gw/smsbox -v 0 /root/kannel/gatewate-x.x.x/gw/smskannel.conf

at the end i wrote = SYSADMIN ALL=KANNEL

still i am unable to use above mentioned command.

for the permission issue i set acl on "/root" with RWX for "others".

"setfacl -mR o:rwx:/root"

even after that i am unable to execute above commands.

selinux is disabled.

only three main partitions are created /boot, swap & / only.

if possible can you guys suggest me what am i missing or any alternative to this.

Thanks.....

It would help to see which error messages you get. Also, is it possible to move the the /root/kannel folder to a different location, for example /opt/kannel?

Thanks TobiSGD for you reply.

i am sorry i didn't reply for this thread, kind of busy with day to day work.

as per your suggestion i can move "/root/kannel" directory to "/opt" but the issue are all are the production servers have regular sms sending activity & load so i may not get downtime for the same.

but as per above issue i find out one solution & it worked but i personally felt its not a Good Sysadmin practice because setting "rwx" permission for other group on "/root" is not good idea. what i did i explain to you as below.

1 - created group name "SYSADMIN" & test users whose secondary group will be SYSADMIN.

2 - Then for the permission issue i set acl on "/root" with RWX for group "SYSADMIN".

"setfacl -mR g:SYSADMIN:rwx /root"

3 - created alias as below =
Cmnd_Alias KANNEL = /root/kannel/gatewate-x.x.x/gw/bearbox -v 0 /root/kannel/gatewate-x.x.x/gw/smskannel.conf /root/kannel/gatewate-x.x.x/gw/smsbox -v 0 /root/kannel/gatewate-x.x.x/gw/smskannel.conf

4 - Then in "/etc/sudoers" file i created one group called "SYSADMINS" & mentioned test users names.

5 - and at the end i wrote = SYSADMIN ALL=KANNEL

with using above changes i was able to execute "/root/kannel/gatewate-x.x.x/gw/bearbox -v 0 /root/kannel/gatewate-x.x.x/gw/smskannel.conf /root/kannel/gatewate-x.x.x/gw/smsbox -v 0 /root/kannel/gatewate-x.x.x/gw/smskannel.conf" & its worked fine.

##=================================================================##

Now as per your suggestion i can move "/root/kannel" directory to "/opt" but still "/opt" have below permission.

drwxr-xr-x 3 root root 4096 Apr 15 01:34 opt

so again i have to set acl on /opt & follow all the sudo configuration. am i right???

##==================================================================##

I having one more doubt that kannel logs gets generated in "/var/log/kannel". for others there is read permission so i can read. but as i told you we run kannel application in debugging mode by "/root/kannel/gatewate-x.x.x/gw/bearbox -v 0 /root/kannel/gatewate-x.x.x/gw/smskannel.conf".

kannel log file is "/var/log/kannel/kannel.log", "/var/log/kannel/kannel_access.log" & "/var/log/kannel/smsbox.log" having permission as below.

-rw-r--r-- 1 root root 437 Apr 15 01:40 kannel_access.log
-rw-r--r-- 1 root root 422304 Apr 15 02:26 kannel.log
-rw-r--r-- 1 root root 0 Apr 14 23:22 smsbox.log

as per my thinking if i run "/root/kannel/gatewate-x.x.x/gw/bearbox -v 0 /root/kannel/gatewate-x.x.x/gw/smskannel.conf" by using "sudo" as "sudo /root/kannel/gatewate-x.x.x/gw/bearbox -v 0 /root/kannel/gatewate-x.x.x/gw/smskannel.conf" so the scritp will run as "root" will get writ permission on all kannel log files. am i right?? so am i able to write log in "/var/log/kannel/kannel_access.log" ??

Thanks,