Red HatThis forum is for the discussion of Red Hat Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Having never configured an ACL before, I'm not sure where to start.
The Linux ACL site (used to be http://www.bestbits.at/acl/ but moved to http://savannah.nongnu.org/projects/acl), local getfacl and setfacl documentation, LQ and 'net setfacl examples like this, this, this (PDF), this, this or this.
Quote:
Originally Posted by Fed
Allow UserX to mount any directory without sudo
It is not always transparent what being (un)able to execute system commands means. If you like figuring things out for yourself I suggest the following manual pages in no particular order:
- 'man capabilities' (search for CAP_SYS_ADMIN) to see why mounting requires root rights (and as such why /sbin/mount is setuid root),
- 'man 5 fstab' for a terse overview of options used in /etc/fstab (fourth field),
- 'man mount', search for the "users" /etc/fstab option (vs "owner").
From that you'd see that Linux ACL's, as in the fourth field "acl" option, doesn't have anything to do with who is (un)able to mount a file system.
Quote:
Originally Posted by Fed
Allow UserX ability to edit /etc/fstab without sudo
Regardless of your system not being connected to any network or not being used by other users than yourself or you "not caring about security anyway", this should not ever be allowed to not override discretionary access control, DAC for short, the separation of privileges Linux uses for good reason.
Regardless of your system not being connected to any network or not being used by other users than yourself or you "not caring about security anyway", this should not ever be allowed to not override discretionary access control, DAC for short, the separation of privileges Linux uses for good reason.
Said user needs the ability to create and mount/umount shares without having root access. I assumed an ACL would be able to configure this but if what you say it correct then obviously it isn't possible. I've been reading about adding UserX to the 'fuse' group and then doing a 'fusermount share'. Though I can't seem to get this working.
What's wrong with using sudo; it sounds like just the job for this (at least the mounting anyway)?
It isn't sufficient to my needs because it requires a password when prompted (need the ability to just execute the command without elevating a user's security) and it gives the user power to edit other things which I don't want them to do. It's literally a user where once logged in, they can edit the file systems table and mount/unmount shares without elevating their security.
Said user needs the ability to create and mount/umount shares without having root access. I assumed an ACL would be able to configure this but if what you say it correct then obviously it isn't possible.
Access Control Lists (ACL) extend Discretionary Access Control (DAC), the basic, static "rwx" access rights. ACL has no concept of and does not modify any processes.
Quote:
Originally Posted by Fed
it requires a password when prompted
I pointed you to reading manual pages in my first reply. So by now you should have found 'man sudoers' (and while reading you may not have found the "NOPASSWD" directive.)
Quote:
Originally Posted by Fed
(need the ability to just execute the command without elevating a user's security)
Saying that suggests you haven't read 'man capabilities' or haven't understood its implications: some actions just require root rights.
Quote:
Originally Posted by Fed
and it gives the user power to edit other things which I don't want them to do.
False. Sudo allows for fine-grained control over which user, group, on which host may execute which commands and you can even deny access to certain switches. As far as I'm aware any non-Ubuntu distro by default wouldn't allow unprivileged users carte blance through /etc/sudoers but give examples of per command or per command group configuration.
Quote:
Originally Posted by Fed
It's literally a user where once logged in, they can edit the file systems table and mount/unmount shares without elevating their security.
If automation on login is a requirement then there are PAM modules to look at, if it needs to be scripted or command line then, as chrism01 already said, Sudo is the safest, most efficient, best configurable option.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.