Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
08-11-2005, 02:41 PM
|
#1
|
|
LQ Newbie
Registered: Aug 2005
Posts: 2
Rep: 
|
SUDO Command help
Howdy Friends:
I'm trying to figure out a way to do this and not loose my sanity completely. I'd like to use SUDO to allow certain people SU access (webmasters, department administrators -- all trusted and educated linux people); however there are a few files that I would *NOT* like them to ever be able to touch.
Again; these users would be allowed to do anything on the system that the root user would be able to do, except be able to execute, edit, or modify a certain (small) list of files.
ANY AND ALL help with this would be very much appreciated and welcomed.
Thanks!
TPAWired
 |
|
|
|
|
08-11-2005, 03:36 PM
|
#2
|
|
Member
Registered: Jan 2005
Location: Atlanta, GA
Distribution: Gentoo, Slackware
Posts: 217
Rep: 
|
Have you checked out any example sudoers files? sudo has lots and lots of options, so I'm sure you could accomplish anything you wanted. Check out this example page. Also, I think it's generally best to limit access unless told otherwise, rather than the reverse. If you really want to prevent people from seeing these files, you need to make sure that nothing they can run will enable them to use root priveleges to change ownership or permissions, or edit files: no shells, editors, etc. This can be tricky unless you specify exactly what people can and can't run. |
|
|
|
|
08-15-2005, 12:34 PM
|
#3
|
|
LQ Newbie
Registered: Aug 2005
Posts: 2
Original Poster
Rep:
|
Quote:
Originally posted by puffinman
Have you checked out any example sudoers files? sudo has lots and lots of options, so I'm sure you could accomplish anything you wanted. Check out this example page. Also, I think it's generally best to limit access unless told otherwise, rather than the reverse. If you really want to prevent people from seeing these files, you need to make sure that nothing they can run will enable them to use root priveleges to change ownership or permissions, or edit files: no shells, editors, etc. This can be tricky unless you specify exactly what people can and can't run.
|
Only problem is...
I don't want them to be able to edit a few files (i.e. configuration files) that pertain to these protected set of applications ether -- however, they should be able to edit other configuration files on the system.
Let me give a little better breakdown of what I am trying to accomplish....
These users are webmasters and departmental heads. They all have UNIX knowledge and experience with LINUX/Unix systems. However, the proxy and content filtering solution I have in place (Squid/Dansguardian) can be bypassed by placing IP Addresses in the excludeipaddress file. I have found that people routinely manipulate these diles to be excluded from filtering 
I know that it's a user education issue (and security ruleset enforcement issue); however, these people need to also be able to perform they're job functions as well -- and sometimes installing .ASP/J2EE/PHP scripts require the usage of elevated privliges.
I was hoping SUDO would allow me to give them access to perform they're jobs and still keep these applications/configuration files in a state that I can control. 
If there is another way to get the functionality I need, I'm not stuck on SUDO. I saw Solaris 10 Zones might allow me to assign them user roles -- perhaps that's the way to go? |
|
|
|
|
08-15-2005, 01:50 PM
|
#4
|
|
Moderator
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
|
Well, you can always be VERY specific in what rights
you grant them via sudo, e.g. admin=/usr/bin/vim /etc/passwd,
admin=/usr/bin/vim /etc/shadow, ... another approach would
be to put all those guys into a group admin, make admin
owner of the files they CAN modify with a 770, and give
admin 700 for those particular files and the directory that
holds them. May mean that you have to do some shuffling
of config files, though, depending on how you've set-up
the machine.
Cheers,
Tink
|
|
|
|
All times are GMT -5. The time now is 09:08 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
