UNIX for Dummies Questions & Answers

How do I deny a user to edit a specific file in directory but the user will have a capability to use sudo and execute any command? I will just deny him/her to edit sayy 5files in different directories in linux?

example. He cannot edit /etc/modprobe.d/blacklist.conf and /etc/sshd.config? Then the rest he can use sudo command.

thanks

You shouldn't allow to edit any file at all via sudo. This is what group ownerships are meant for: instead of doing it via sudo you make the file owned by a certain group, grant the group the write-privilege and make any user allowed to edit the file a member of this group.

Code:

# ls -l /file/in/question
-rw-rw---- 1 root mayedit 11872 2013-01-29 18:34 /file/in/question

# groups willedit
willedit : users mayedit

# groups willnotedit
willnotedit : users

Now you add any user who should be able to edit the file to the "willedit" group and all others are left out.

The reason why you shouldn't do that via sudo is because most editors allow shell escapes and this is one of the classical ways to circumvent restrictions via sudo: to allow sudo vi /some/file for instance means that the user is allowed to set up the process vi /some/file as root. Issuing ":!sh" in this vi session now escapes to a normal shell in which the user is now fully root. You don't need any sudo restrictions in place in this case any more.

I hope this helps.

bakunin

If you do need to give sudo vi access, you can use rvim, which will not allow shell commands to be called via ! within vi.

thanks. however if the 'mayedit' user will execute sudo vi /file/in/question, he will be able to edit it right? the user will have like sudo access to all (ie. shutdown, cp, mv, any commands) but not to a specific files i will mention. is this possible?

Ahem,

"mayedit" is not a user, but a user group. Users are "willedit" and "willnotedit".

By giving a user the right to "sudo vi" this user will effectively be able to become root and use any command - shutdown, mv, cp and anything else included - without even having to use "sudo".

And, no, this is not possible. root may do everything and if you allow a user to become root, you have allowed him to do everything effectively. There is no restricting after you have given full rights. This is why you shouldn't use sudo for this, as explained above.

I hope this helps.

bakunin

thanks..is there an application or a way on how to do this? because i want our sysads to say apt-get install, shutdown, mv, cp etc but will restrict their access to the ff for example
a. /etc/modprobe.d/blacklist.conf--- its bec i will disable usb/video module

in this way they will not be able to edit this file but they can edit all files, cp, mv, rm etc since they are sysad and they will be sudoers.

The short answer is no. This is because of your proposed security model, i.e. allow the editing of all files except for a small number of files. This is sometimes known as a "mostly open" security model. A better approach in this case is to use a "mostly closed" model, i.e. deny permission to edit all files except for a small number of files.