Setup SUDO For a User on Linux Server

sureshcisco · July 23, 2010, 2:46pm

Hello! Can anyone please assist:

Question:
On Linux Server I have created two users John and Matt. I want to give both the users the ability to run 'more' and 'tail -f' commands on the log file in the directory /var/log/test.log. I do not want to give them SU rights.

Can any one please assit how to setup sudoers

Thanks in advance.

Jakob · July 23, 2010, 3:31pm

/etc/sudoers

Ikon · July 23, 2010, 3:38pm

What I would do is write a script that displays the log how you want it then add the following to sudoers.

Cmnd_Alias     MYSCRIPTS=/path/to/script/myscriptname, /path/to/another/script/myotherscript

john    ALL=(ALL) MYSCRIPTS
matt    ALL=(ALL) MYSCRIPTS

The users would have to use the following command then enter their password:

# sudo /path/to/script/myscriptname

Make sure the users DON'T have write access to the script or they can edit the script and put what ever they want in it.

sureshcisco · July 23, 2010, 10:14pm

Thank you very much IKON. It works!!!

STOIE · July 25, 2010, 8:14pm

Ikon, use a group my boy. hehehe

Standardization is king!

Only reason why I actually think I should mention this is, because at work doing this nearly every day, if you continue to add users into the sudoers file then you may just mistype something and kill sudo sys-wide. Better to have groups you can simply add users to, again, you will still need to initially config sudoers, but, adding more people down the track is easier.

And again, you are supposed to use visudo to get around /etc/sudoers corruption, but, as Jokob mentioned the file itself, manual editing should be as limited as possible.

sureshcisco · July 26, 2010, 8:28pm

The above works great...but how can we restrict the users John and Matt to stop executing the scripts in other directories?

or simply I do not want them to access any directory (and data in them) except the directory the script is saved (for example the script is saved in /tmp).

Thanks.

STOIE · July 26, 2010, 9:02pm

Problem is you are allowing them to tail a file, this means they will be able to look at the contents of pretty much anything they want.

for instance:
sudo tail /root/.ssh/authorized_keys

Catch my drift???

I would say chgrp the files you want them to be able to tail, to a newly created group, toss the old group owner into that group and add matt and john to the new group.

This way they can only access the files that you chgrp to the new group.

This seems to becoming more of a permissions question than a sudo question...