If I needed to give three or two users right to cat /var/log/messages How could I go about doing that?
If it was one person I guess I could give that one person ownership to the file, it will work but the method is questionable. Now for two or more people has any done anything like it.
Recommend especially if these two(or more) Users might end up needing similar access together to other files that you create a User Group, then grant Read permissions on specific files for them. If at any time in the future you want to grant same access to others, just add those User Accounts to your custom User Group.
If you’re unsure using the command line, you can create the custom User Group and add the User accounts in YAST >> User & Group Management, then use something like Dolphin to grant appropriate permissions.
On 2011-02-12 22:36, hgallo wrote:
>
> Hi I have an odd question
>
> If I needed to give three or two users right to cat /var/log/messages
> How could I go about doing that?
Besides changing the group ownership, you can configure sudo.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
gropiuskalle wrote:
> “robin_listas” Wrote:
>> Besides changing the group ownership, you can configure sudo.
>
> I am not a sudo-expert, but isn’t sudo rather managing permissions to
> run a command than file-rights? The command ‘cat’ can be used by every
> user.
cat can be used by every user but if the file is not readable by the
user then it doesn’t help. So one has to use sudo cat and then the sudo
rules apply. And the sudo rules can get pretty complicated, probably
complicated enough to use them as carlos suggests.
Changing the group of /var/log/messages doesn’t sound a great idea,
especially since upgrades will probably revert it and any security
monitor ought to find it. Using sudo avoids that.
Another approach might be to use ACLs, if your system is configured to
use them.
On 2011-02-14 15:36, gropiuskalle wrote:
>
> “robin_listas” Wrote:
>> Besides changing the group ownership, you can configure sudo.
>
> I am not a sudo-expert, but isn’t sudo rather managing permissions to
> run a command than file-rights? The command ‘cat’ can be used by every
> user.
The command allowed can include the options and the parameters. If you do
not match the exact line, you are not allowed.
Notice that there is a common misconception regarding sudo; when here
people say to somebody, for example “type fdisk -l” and enter the root
password when asked, we are assuming the wrong sudo configuration. Sudo
is intended to ask for your user’s password, not root’s. If you know the
root password, you can do anything, there is no very much real point in
using sudo in that case.
Notice this comment in the file /etc/sudoers:
In the default (unconfigured) configuration, sudo asks for the root password.
This allows use of an ordinary user account for administration of a freshly
installed system. When configuring sudo, delete the two
following lines:
Defaults targetpw # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with ‘Defaults targetpw’!
Carlos E. R. wrote:
> Notice that there is a common misconception regarding sudo; when here
> people say to somebody, for example “type fdisk -l” and enter the root
> password when asked, we are assuming the wrong sudo configuration. Sudo
> is intended to ask for your user’s password, not root’s. If you know the
> root password, you can do anything, there is no very much real point in
> using sudo in that case.
That’s true but there are negative consequences when using your own
password as well (that’s the way Ubuntu sets it up by default BTW). The
consequences are:
your own normal password needs to be secure enough to use for root
(yes, yes, you can argue that all passwords should be very secure but)
the root password is potentially exposed at a lot more places -
everytime you login as yourself - which may make it easier to crack
(social engineering)
The best solution if you want to use sudo is to set up special admin
users who are the only sudoers, IMHO.
On 2011-02-14 16:41, Dave Howorth wrote:
> Carlos E. R. wrote:
> That’s true but there are negative consequences when using your own
> password as well (that’s the way Ubuntu sets it up by default BTW). The
> consequences are:
Yes, and I don’t like the ubuntu way >:-)
> * your own normal password needs to be secure enough to use for root
> (yes, yes, you can argue that all passwords should be very secure but)
Yes, your password has to be secure. Always.
> * the root password is potentially exposed at a lot more places -
> everytime you login as yourself - which may make it easier to crack
> (social engineering)
Why? You don’t need to know the root’s password, you don’t use it, and it
is not exposed. Notice that in this method you are only allowed to use a
subset of root’s tools, not all. Only those tools the real administrator
decides you can use via sudo.
> The best solution if you want to use sudo is to set up special admin
> users who are the only sudoers, IMHO.
The best thing would be a complex permission system where some users are
granted access to root tools, or be root for somethings and not others.
They are not root, and can not change root’s password.
Or supervised “vice-root” admins. This users do “su - admin_one” and get
access, and their actions are logged. There can be several administrators.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
Hey guys in trying to edit the /etc/sudoers file I noticed that the file permissions are read only for root and owner. What is the best practice on editing this file. ?
> Hey thanks for answering to the post I just have quick question,
> in this line:
>
> cer Telcontar= (root) NOPASSWD: /bin/cat /var/log/messages
>
> what is the “Telcontar” do?
Nothing. >:-)
Hint: man sudoers.
Hint 2: vg vf zl pbzchgre anzr :-c
Hint 3: rot13.
–
Cheers / Saludos, >;-P
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)