sudoers - how to give access to certain directories?
Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
sudoers - how to give access to certain directories?
Without changing permissions on a directory tree.. is there anyway to give sudo access to a specific directory so that admin staff could move/copy/edit files in those directories? I have an app that requires specific permissions to work correctly it's either sudo access or root access. Id prefer to stay from giving full sudo access to everyone who needs to modify files in this application directory.
Is this possible or not?
Also is there a way to give ALL permissions minus a specific command (su in particular)??
You can take a command out of a sudo account by using the ! (not operator) for example to let bill use all commands except su, shutdown, halt and poweroff the line would look like (in /etc/sudoers)
Code:
bill ALL = (ALL) ALL !su !shutdown !halt !poweroff
this does not seem like a good idea as there may be ways around the exact command. such as using a shell escape from another program.
You can give access to directorys just like you can command. for example if you wanted bill,mike,pete and members of the project group to be able to access /path/to/project/*. you'd use
Code:
User_Alias THISGROUP = bill, mike, pete
THISGROUP, %project ALL= /path/to/project/*
the user alias statement should be near the top all other statements should be with the main body of statements in sudoers file
You can take a command out of a sudo account by using the
Code:
User_Alias THISGROUP = bill, mike, pete
THISGROUP, %project ALL= /path/to/project/*
Using wildcards in path names can be very tricky in sudo. Using the above example, I believe /path/to/project/../../../any/path/I/want/ would match.
Also, if I understand the man page correctly, the above command would allow commands to be run in the indicated directories but not allow files to be modified, which is what I understood the OP wanted. You might look at the sudoedit option for that (if the files to be modified are text files).
There is a SECURITY NOTES section of the sudoers man page the you may wish to look at.
Last edited by blackhole54; 05-20-2009 at 07:02 PM.
Big thanks to both of you guys, I completely forgot about sudoedit. Luckily the admins that will have root access I trust not to use loopholes so thats not a big concern. The biggest concern for me is the directory access. Ill read up on sudoedit.
Thanks for the information, I really appreciate it
You can take a command out of a sudo account by using the ! (not operator) for example to let bill use all commands except su, shutdown, halt and poweroff the line would look like (in /etc/sudoers)
Code:
bill ALL = (ALL) ALL !su !shutdown !halt !poweroff
this does not seem like a good idea as there may be ways around the exact command. such as using a shell escape from another program.
You can give access to directorys just like you can command. for example if you wanted bill,mike,pete and members of the project group to be able to access /path/to/project/*. you'd use
Code:
User_Alias THISGROUP = bill, mike, pete
THISGROUP, %project ALL= /path/to/project/*
the user alias statement should be near the top all other statements should be with the main body of statements in sudoers file
FYI...in RHEL 5...
This doesn't work
Code:
bill ALL = (ALL) ALL !su !shutdown !halt !poweroff
But this does work...
Code:
bill ALL = (ALL) ALL,!su,!shutdown,!halt,!poweroff
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.