Hi I have an odd question
If I needed to give three or two users right to cat /var/log/messages How could I go about doing that?
If it was one person I guess I could give that one person ownership to the file, it will work but the method is questionable. Now for two or more people has any done anything like it.
Thanks
IMO,
Your Users only need read access.
Recommend especially if these two(or more) Users might end up needing similar access together to other files that you create a User Group, then grant Read permissions on specific files for them. If at any time in the future you want to grant same access to others, just add those User Accounts to your custom User Group.
If you’re unsure using the command line, you can create the custom User Group and add the User accounts in YAST >> User & Group Management, then use something like Dolphin to grant appropriate permissions.
HTH,
Tony
Hmmmm ok but for instance the /var/log/messages
-rw-r----- 1 root root 1243110 Feb 12 16:38 messages
its own by the user root and group root. In this instance would I change the group to e.g. “cat_group” ?
Thanks Tony…
Hi
Create a new group say ‘logviewers’ then add the users to this group
(as well as root) then change the group ownership of the file;
chown root:logviewers /var/log/messages
Then you need to add the file and permissions to /etc/permissions.
–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.32.27-0.2-default
up 1 day 17:33, 3 users, load average: 0.22, 0.14, 0.37
GPU GeForce 8600 GTS Silent - Driver Version: 260.19.36
On 2011-02-12 22:36, hgallo wrote:
>
> Hi I have an odd question
>
> If I needed to give three or two users right to cat /var/log/messages
> How could I go about doing that?
Besides changing the group ownership, you can configure sudo.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
Hey Thanks everyone…
I am not a sudo-expert, but isn’t sudo rather managing permissions to run a command than file-rights? The command ‘cat’ can be used by every user.
gropiuskalle wrote:
> “robin_listas” Wrote:
>> Besides changing the group ownership, you can configure sudo.
>
> I am not a sudo-expert, but isn’t sudo rather managing permissions to
> run a command than file-rights? The command ‘cat’ can be used by every
> user.
cat can be used by every user but if the file is not readable by the
user then it doesn’t help. So one has to use sudo cat and then the sudo
rules apply. And the sudo rules can get pretty complicated, probably
complicated enough to use them as carlos suggests.
Changing the group of /var/log/messages doesn’t sound a great idea,
especially since upgrades will probably revert it and any security
monitor ought to find it. Using sudo avoids that.
Another approach might be to use ACLs, if your system is configured to
use them.
On 2011-02-14 15:36, gropiuskalle wrote:
>
> “robin_listas” Wrote:
>> Besides changing the group ownership, you can configure sudo.
>
> I am not a sudo-expert, but isn’t sudo rather managing permissions to
> run a command than file-rights? The command ‘cat’ can be used by every
> user.
The command allowed can include the options and the parameters. If you do
not match the exact line, you are not allowed.
Notice that there is a common misconception regarding sudo; when here
people say to somebody, for example “type fdisk -l” and enter the root
password when asked, we are assuming the wrong sudo configuration. Sudo
is intended to ask for your user’s password, not root’s. If you know the
root password, you can do anything, there is no very much real point in
using sudo in that case.
Notice this comment in the file /etc/sudoers:
Then this will work:
cer Telcontar= (root) NOPASSWD: /bin/cat /var/log/messages
or
cer Telcontar= (root) /bin/cat /var/log/messages
The first one doesn’t ask for the password, the other requests for cer’s
password. If the user types one letter changed, he is not allowed to do that.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
That’s what I was missing (I hardly work with sudo), so thank you for the clarification.
I knew that before, yet I give a fat +1 for that. sudo is misunderstood and misused very often.
Carlos E. R. wrote:
> Notice that there is a common misconception regarding sudo; when here
> people say to somebody, for example “type fdisk -l” and enter the root
> password when asked, we are assuming the wrong sudo configuration. Sudo
> is intended to ask for your user’s password, not root’s. If you know the
> root password, you can do anything, there is no very much real point in
> using sudo in that case.
That’s true but there are negative consequences when using your own
password as well (that’s the way Ubuntu sets it up by default BTW). The
consequences are:
The best solution if you want to use sudo is to set up special admin
users who are the only sudoers, IMHO.
On 2011-02-14 16:41, Dave Howorth wrote:
> Carlos E. R. wrote:
> That’s true but there are negative consequences when using your own
> password as well (that’s the way Ubuntu sets it up by default BTW). The
> consequences are:
Yes, and I don’t like the ubuntu way >:-)
> * your own normal password needs to be secure enough to use for root
> (yes, yes, you can argue that all passwords should be very secure but)
Yes, your password has to be secure. Always.
> * the root password is potentially exposed at a lot more places -
> everytime you login as yourself - which may make it easier to crack
> (social engineering)
Why? You don’t need to know the root’s password, you don’t use it, and it
is not exposed. Notice that in this method you are only allowed to use a
subset of root’s tools, not all. Only those tools the real administrator
decides you can use via sudo.
> The best solution if you want to use sudo is to set up special admin
> users who are the only sudoers, IMHO.
The best thing would be a complex permission system where some users are
granted access to root tools, or be root for somethings and not others.
They are not root, and can not change root’s password.
Or supervised “vice-root” admins. This users do “su - admin_one” and get
access, and their actions are logged. There can be several administrators.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
This looks like a great aproach. Thanks Robin Im feeling that…
Hey guys in trying to edit the /etc/sudoers file I noticed that the file permissions are read only for root and owner. What is the best practice on editing this file. ?
Thanks…
It can be edited via Yast I guess.
Hi
Or via the command line with sudoedit, you don’t just edit the file 
Thanks Malcom
On 2011-02-15 17:28, hgallo wrote in a PM:
> Hey thanks for answering to the post I just have quick question,
> in this line:
>
> cer Telcontar= (root) NOPASSWD: /bin/cat /var/log/messages
>
> what is the “Telcontar” do?
Nothing. >:-)
Hint: man sudoers.
Hint 2: vg vf zl pbzchgre anzr :-c
Hint 3: rot13.
–
Cheers / Saludos, >;-P
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
On 2011-02-15 17:36, malcolmlewis wrote:
>
> Hi
> Or via the command line with sudoedit, you don’t just edit the file
Change first the EDITOR variable, or you will have to teach “vi” in 12
short lessons :-p
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)