Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
is there a way i can give someone full sudo BUT restrict them from viewing one specific file?
a client of ours is requesting full access to their server, but i do not want them to have R rights to the /root/.ssh/authorized_keys file.
what's the recommended course of action for this?
You'll have to have a pretty comprehensive rule set for that user. First, deny them shell access, then deny them rights to cp/mv/cd/whatever-else-can-read-a-file to that file/directory. And that is a LONG list (tar, gzip, zip, cpio, etc., etc....). Then also deny them rights to run whatever backup software you use, so they can't RESTORE that file to an alternate location.
Short answer: it's doable.
Long answer: it's doable, but not practical. There are FAR too many commands to copy/read files, and that doesn't take into account if that user writes a shell script that USES one of those commands, and runs IT with sudo, which may let them sidestep things.
Most practical solution: Warn user(s) that they are NOT to play with that file, and get them to sign a sheet showing you've had this talk with them. Deny shell access and limit login hours for that user to working-hours only. Have a cron job run every so often, to look at the sudo logs for anything that mentions that directory/file. Email the data security/admins if such an entry is found, and show up at that users desk IMMEDIATELY with a baseball bat, and ask them what the hell they think they're doing. Fire said employee if the warning doesn't work.
You'll have to have a pretty comprehensive rule set for that user. First, deny them shell access, then deny them rights to cp/mv/cd/whatever-else-can-read-a-file to that file/directory. And that is a LONG list (tar, gzip, zip, cpio, etc., etc....). Then also deny them rights to run whatever backup software you use, so they can't RESTORE that file to an alternate location.
Short answer: it's doable.
Long answer: it's doable, but not practical. There are FAR too many commands to copy/read files, and that doesn't take into account if that user writes a shell script that USES one of those commands, and runs IT with sudo, which may let them sidestep things.
Most practical solution: Warn user(s) that they are NOT to play with that file, and get them to sign a sheet showing you've had this talk with them. Deny shell access and limit login hours for that user to working-hours only. Have a cron job run every so often, to look at the sudo logs for anything that mentions that directory/file. Email the data security/admins if such an entry is found, and show up at that users desk IMMEDIATELY with a baseball bat, and ask them what the hell they think they're doing. Fire said employee if the warning doesn't work.
good write-up man, i figured it was doable but i was hoping it would have been as simple as putting a "!/etc/.ssh/authorized_keys" comment or something similar in the sudoers file.
i appreciate your input.
i've given the client /bin/sh access but did not put an entry in the /etc/sudoers file. They said they are fine with just having ssh access for now and if they need any elevated privileges, they'll let me know specifically what and for which file they need.
If you do end up having to give them more access than you want, in addition to TB0ne's excellent advice above, this will come in useful http://linux.die.net/man/1/inotifywait
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.