Can I restrict a user with root privileges(with sudo) from accessing/deleting a specific file?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I want to keep a log-file on my computer. I also want to give privileges to a different account to do all sorts of system specific jobs such as mount volume/install packages etc. So that user has to have root privileges but must be restricted from a single log file such that s/he should not be able to change/delete/write that specific file.
linux selinux access-control
asked Jan 24 at 12:28
E.Bülbül
11
add a comment |Â
up vote
0
down vote
favorite
I want to keep a log-file on my computer. I also want to give privileges to a different account to do all sorts of system specific jobs such as mount volume/install packages etc. So that user has to have root privileges but must be restricted from a single log file such that s/he should not be able to change/delete/write that specific file.
linux selinux access-control
asked Jan 24 at 12:28
E.Bülbül
11
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I want to keep a log-file on my computer. I also want to give privileges to a different account to do all sorts of system specific jobs such as mount volume/install packages etc. So that user has to have root privileges but must be restricted from a single log file such that s/he should not be able to change/delete/write that specific file.
linux selinux access-control
asked Jan 24 at 12:28
E.Bülbül
11
I want to keep a log-file on my computer. I also want to give privileges to a different account to do all sorts of system specific jobs such as mount volume/install packages etc. So that user has to have root privileges but must be restricted from a single log file such that s/he should not be able to change/delete/write that specific file.
linux selinux access-control
asked Jan 24 at 12:28
E.Bülbül
11
asked Jan 24 at 12:28
E.Bülbül
11
asked Jan 24 at 12:28
E.Bülbül
11
asked Jan 24 at 12:28
E.Bülbül
11
11
add a comment |Â
add a comment |Â
4 Answers
4
active
oldest
votes
up vote
2
down vote
First, you can make the log file unwritable by the root via the sudoers file:
user ALL=(ALL) !/var/log/logfile
That will make it so that the logfile can't be modified, moved, or deleted by the root.
Then you can edit the sudoers file so that the user can only use the commands which you've decided are necessary:
user ALL=(ALL) /bin/command1 /bin/command2 /bin/command3
user ALL=(ALL) !ALL
That will disallow any commands that you don't want the user to have. You can also make the sudoers file immutable via chattr +i /etc/sudoers so that the user can't modify it as root to allow himself to access the log file.
edited Mar 6 at 18:45
Drakonoved
674518
answered Jan 24 at 14:05
Nasir Riley
1,524138
add a comment |Â
up vote
1
down vote
If you can't limit the sudo for the user, then you can sync logs to different node (rsync/rsyslog).
answered Jan 24 at 13:06
Jaroslav Kucera
4,3604621
add a comment |Â
up vote
1
down vote
A user that is given superuser permissions on a system needs to be
- Fully trusted, and
- Accountable.
If that's not the case, then the operations that the user needs to undertake as root should be narrowly specified in such a way that they may be listed in the sudoers file in a precise manner (e.g. only be able to run rm on these files). Such a user should also not be able to use sudo to gain a root shell environment.
If this is not possible, then consider setting up a separate non-root account under which all needed operations may be performed.
answered Jan 24 at 16:30
Kusalananda
103k13202318
add a comment |Â
up vote
0
down vote
Yes you can restrict a sudo user to restrict to run some specific root user commands. so that he/she can execute the configured permission as shown below.
Example : You can give the required permissions in vi /etc/sudoers
or type visudo
Add below types of required permissions in /etc/sudoers file.
User_A_permissions:
Cmnd_Alias PERMISSIONS = /usr/sbin/lsof, /usr/bin/ssh, /usr/bin/scp, /usr/bin/rsync, /usr/bin/telnet, /usr/bin/traceroute, /usr/bin/kill, /usr/bin/ps, /usr/bin/netstat, /usr/bin/grep, /usr/bin/crontab, /usr/sbin/tcpdump, /bin/ping, /usr/bin/crontab -u root -l, /usr/bin/crontab -u root -e, /etc/init.d/crond reload, /usr/bin/updatedb, /bin/df, /usr/bin/du, /usr/bin/locate, /usr/bin/find, /bin/su
After that add below line
%User_A_permissions ALL=PERMISSIONS
edited Jan 24 at 12:53
Hunter.S.Thompson
4,50631334
answered Jan 24 at 12:50
bala4rtraining
112
I think you are restricting the rm command with root privileges altogether. I need this user to be able to delete files with root privileges but not the log file.
– E.Bülbül
Jan 24 at 13:01
In above example, I have given sample commands so that sudo user can use it. You can add /bin/rm then sudo user can delete it.
– bala4rtraining
Jan 24 at 13:14
If you want to restrict a particular log file then give the below line in /etc/sudoers file username ALL = /usr/bin/vi !/var/log/messages, /usr/bin/vi !/etc/group, /usr/bin/vi !/etc/fstab
– bala4rtraining
Jan 24 at 13:15
@bala4rtraining With scp, rsync, or su privileges in the command list I would be able to read/write/delete the log file. I don't think you can restrict sudo the way the OP is asking.
– Doug O'Neal
Jan 24 at 16:30
add a comment |Â
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
First, you can make the log file unwritable by the root via the sudoers file:
user ALL=(ALL) !/var/log/logfile
That will make it so that the logfile can't be modified, moved, or deleted by the root.
Then you can edit the sudoers file so that the user can only use the commands which you've decided are necessary:
user ALL=(ALL) /bin/command1 /bin/command2 /bin/command3
user ALL=(ALL) !ALL
That will disallow any commands that you don't want the user to have. You can also make the sudoers file immutable via chattr +i /etc/sudoers so that the user can't modify it as root to allow himself to access the log file.
edited Mar 6 at 18:45
Drakonoved
674518
answered Jan 24 at 14:05
Nasir Riley
1,524138
add a comment |Â
up vote
2
down vote
First, you can make the log file unwritable by the root via the sudoers file:
user ALL=(ALL) !/var/log/logfile
That will make it so that the logfile can't be modified, moved, or deleted by the root.
Then you can edit the sudoers file so that the user can only use the commands which you've decided are necessary:
user ALL=(ALL) /bin/command1 /bin/command2 /bin/command3
user ALL=(ALL) !ALL
That will disallow any commands that you don't want the user to have. You can also make the sudoers file immutable via chattr +i /etc/sudoers so that the user can't modify it as root to allow himself to access the log file.
edited Mar 6 at 18:45
Drakonoved
674518
answered Jan 24 at 14:05
Nasir Riley
1,524138
add a comment |Â
up vote
2
down vote
up vote
2
down vote
First, you can make the log file unwritable by the root via the sudoers file:
user ALL=(ALL) !/var/log/logfile
That will make it so that the logfile can't be modified, moved, or deleted by the root.
Then you can edit the sudoers file so that the user can only use the commands which you've decided are necessary:
user ALL=(ALL) /bin/command1 /bin/command2 /bin/command3
user ALL=(ALL) !ALL
That will disallow any commands that you don't want the user to have. You can also make the sudoers file immutable via chattr +i /etc/sudoers so that the user can't modify it as root to allow himself to access the log file.
edited Mar 6 at 18:45
Drakonoved
674518
answered Jan 24 at 14:05
Nasir Riley
1,524138
First, you can make the log file unwritable by the root via the sudoers file:
user ALL=(ALL) !/var/log/logfile
That will make it so that the logfile can't be modified, moved, or deleted by the root.
Then you can edit the sudoers file so that the user can only use the commands which you've decided are necessary:
user ALL=(ALL) /bin/command1 /bin/command2 /bin/command3
user ALL=(ALL) !ALL
That will disallow any commands that you don't want the user to have. You can also make the sudoers file immutable via chattr +i /etc/sudoers so that the user can't modify it as root to allow himself to access the log file.
edited Mar 6 at 18:45
Drakonoved
674518
answered Jan 24 at 14:05
Nasir Riley
1,524138
edited Mar 6 at 18:45
Drakonoved
674518
edited Mar 6 at 18:45
Drakonoved
674518
edited Mar 6 at 18:45
Drakonoved
674518
674518
answered Jan 24 at 14:05
Nasir Riley
1,524138
answered Jan 24 at 14:05
Nasir Riley
1,524138
answered Jan 24 at 14:05
Nasir Riley
1,524138
1,524138
add a comment |Â
add a comment |Â
up vote
1
down vote
If you can't limit the sudo for the user, then you can sync logs to different node (rsync/rsyslog).
answered Jan 24 at 13:06
Jaroslav Kucera
4,3604621
add a comment |Â
up vote
1
down vote
If you can't limit the sudo for the user, then you can sync logs to different node (rsync/rsyslog).
answered Jan 24 at 13:06
Jaroslav Kucera
4,3604621
add a comment |Â
up vote
1
down vote
up vote
1
down vote
If you can't limit the sudo for the user, then you can sync logs to different node (rsync/rsyslog).
answered Jan 24 at 13:06
Jaroslav Kucera
4,3604621
If you can't limit the sudo for the user, then you can sync logs to different node (rsync/rsyslog).
answered Jan 24 at 13:06
Jaroslav Kucera
4,3604621
answered Jan 24 at 13:06
Jaroslav Kucera
4,3604621
answered Jan 24 at 13:06
Jaroslav Kucera
4,3604621
answered Jan 24 at 13:06
Jaroslav Kucera
4,3604621
4,3604621
add a comment |Â
add a comment |Â
up vote
1
down vote
A user that is given superuser permissions on a system needs to be
- Fully trusted, and
- Accountable.
If that's not the case, then the operations that the user needs to undertake as root should be narrowly specified in such a way that they may be listed in the sudoers file in a precise manner (e.g. only be able to run rm on these files). Such a user should also not be able to use sudo to gain a root shell environment.
If this is not possible, then consider setting up a separate non-root account under which all needed operations may be performed.
answered Jan 24 at 16:30
Kusalananda
103k13202318
add a comment |Â
up vote
1
down vote
A user that is given superuser permissions on a system needs to be
- Fully trusted, and
- Accountable.
If that's not the case, then the operations that the user needs to undertake as root should be narrowly specified in such a way that they may be listed in the sudoers file in a precise manner (e.g. only be able to run rm on these files). Such a user should also not be able to use sudo to gain a root shell environment.
If this is not possible, then consider setting up a separate non-root account under which all needed operations may be performed.
answered Jan 24 at 16:30
Kusalananda
103k13202318
add a comment |Â
up vote
1
down vote
up vote
1
down vote
A user that is given superuser permissions on a system needs to be
- Fully trusted, and
- Accountable.
If that's not the case, then the operations that the user needs to undertake as root should be narrowly specified in such a way that they may be listed in the sudoers file in a precise manner (e.g. only be able to run rm on these files). Such a user should also not be able to use sudo to gain a root shell environment.
If this is not possible, then consider setting up a separate non-root account under which all needed operations may be performed.
answered Jan 24 at 16:30
Kusalananda
103k13202318
A user that is given superuser permissions on a system needs to be
- Fully trusted, and
- Accountable.
If that's not the case, then the operations that the user needs to undertake as root should be narrowly specified in such a way that they may be listed in the sudoers file in a precise manner (e.g. only be able to run rm on these files). Such a user should also not be able to use sudo to gain a root shell environment.
If this is not possible, then consider setting up a separate non-root account under which all needed operations may be performed.
answered Jan 24 at 16:30
Kusalananda
103k13202318
answered Jan 24 at 16:30
Kusalananda
103k13202318
answered Jan 24 at 16:30
Kusalananda
103k13202318
answered Jan 24 at 16:30
Kusalananda
103k13202318
103k13202318
add a comment |Â
add a comment |Â
up vote
0
down vote
Yes you can restrict a sudo user to restrict to run some specific root user commands. so that he/she can execute the configured permission as shown below.
Example : You can give the required permissions in vi /etc/sudoers
or type visudo
Add below types of required permissions in /etc/sudoers file.
User_A_permissions:
Cmnd_Alias PERMISSIONS = /usr/sbin/lsof, /usr/bin/ssh, /usr/bin/scp, /usr/bin/rsync, /usr/bin/telnet, /usr/bin/traceroute, /usr/bin/kill, /usr/bin/ps, /usr/bin/netstat, /usr/bin/grep, /usr/bin/crontab, /usr/sbin/tcpdump, /bin/ping, /usr/bin/crontab -u root -l, /usr/bin/crontab -u root -e, /etc/init.d/crond reload, /usr/bin/updatedb, /bin/df, /usr/bin/du, /usr/bin/locate, /usr/bin/find, /bin/su
After that add below line
%User_A_permissions ALL=PERMISSIONS
edited Jan 24 at 12:53
Hunter.S.Thompson
4,50631334
answered Jan 24 at 12:50
bala4rtraining
112
I think you are restricting the rm command with root privileges altogether. I need this user to be able to delete files with root privileges but not the log file.
– E.Bülbül
Jan 24 at 13:01
In above example, I have given sample commands so that sudo user can use it. You can add /bin/rm then sudo user can delete it.
– bala4rtraining
Jan 24 at 13:14
If you want to restrict a particular log file then give the below line in /etc/sudoers file username ALL = /usr/bin/vi !/var/log/messages, /usr/bin/vi !/etc/group, /usr/bin/vi !/etc/fstab
– bala4rtraining
Jan 24 at 13:15
@bala4rtraining With scp, rsync, or su privileges in the command list I would be able to read/write/delete the log file. I don't think you can restrict sudo the way the OP is asking.
– Doug O'Neal
Jan 24 at 16:30
add a comment |Â
up vote
0
down vote
Yes you can restrict a sudo user to restrict to run some specific root user commands. so that he/she can execute the configured permission as shown below.
Example : You can give the required permissions in vi /etc/sudoers
or type visudo
Add below types of required permissions in /etc/sudoers file.
User_A_permissions:
Cmnd_Alias PERMISSIONS = /usr/sbin/lsof, /usr/bin/ssh, /usr/bin/scp, /usr/bin/rsync, /usr/bin/telnet, /usr/bin/traceroute, /usr/bin/kill, /usr/bin/ps, /usr/bin/netstat, /usr/bin/grep, /usr/bin/crontab, /usr/sbin/tcpdump, /bin/ping, /usr/bin/crontab -u root -l, /usr/bin/crontab -u root -e, /etc/init.d/crond reload, /usr/bin/updatedb, /bin/df, /usr/bin/du, /usr/bin/locate, /usr/bin/find, /bin/su
After that add below line
%User_A_permissions ALL=PERMISSIONS
edited Jan 24 at 12:53
Hunter.S.Thompson
4,50631334
answered Jan 24 at 12:50
bala4rtraining
112
I think you are restricting the rm command with root privileges altogether. I need this user to be able to delete files with root privileges but not the log file.
– E.Bülbül
Jan 24 at 13:01
In above example, I have given sample commands so that sudo user can use it. You can add /bin/rm then sudo user can delete it.
– bala4rtraining
Jan 24 at 13:14
If you want to restrict a particular log file then give the below line in /etc/sudoers file username ALL = /usr/bin/vi !/var/log/messages, /usr/bin/vi !/etc/group, /usr/bin/vi !/etc/fstab
– bala4rtraining
Jan 24 at 13:15
@bala4rtraining With scp, rsync, or su privileges in the command list I would be able to read/write/delete the log file. I don't think you can restrict sudo the way the OP is asking.
– Doug O'Neal
Jan 24 at 16:30
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Yes you can restrict a sudo user to restrict to run some specific root user commands. so that he/she can execute the configured permission as shown below.
Example : You can give the required permissions in vi /etc/sudoers
or type visudo
Add below types of required permissions in /etc/sudoers file.
User_A_permissions:
Cmnd_Alias PERMISSIONS = /usr/sbin/lsof, /usr/bin/ssh, /usr/bin/scp, /usr/bin/rsync, /usr/bin/telnet, /usr/bin/traceroute, /usr/bin/kill, /usr/bin/ps, /usr/bin/netstat, /usr/bin/grep, /usr/bin/crontab, /usr/sbin/tcpdump, /bin/ping, /usr/bin/crontab -u root -l, /usr/bin/crontab -u root -e, /etc/init.d/crond reload, /usr/bin/updatedb, /bin/df, /usr/bin/du, /usr/bin/locate, /usr/bin/find, /bin/su
After that add below line
%User_A_permissions ALL=PERMISSIONS
edited Jan 24 at 12:53
Hunter.S.Thompson
4,50631334
answered Jan 24 at 12:50
bala4rtraining
112
Yes you can restrict a sudo user to restrict to run some specific root user commands. so that he/she can execute the configured permission as shown below.
Example : You can give the required permissions in vi /etc/sudoers
or type visudo
Add below types of required permissions in /etc/sudoers file.
User_A_permissions:
Cmnd_Alias PERMISSIONS = /usr/sbin/lsof, /usr/bin/ssh, /usr/bin/scp, /usr/bin/rsync, /usr/bin/telnet, /usr/bin/traceroute, /usr/bin/kill, /usr/bin/ps, /usr/bin/netstat, /usr/bin/grep, /usr/bin/crontab, /usr/sbin/tcpdump, /bin/ping, /usr/bin/crontab -u root -l, /usr/bin/crontab -u root -e, /etc/init.d/crond reload, /usr/bin/updatedb, /bin/df, /usr/bin/du, /usr/bin/locate, /usr/bin/find, /bin/su
After that add below line
%User_A_permissions ALL=PERMISSIONS
edited Jan 24 at 12:53
Hunter.S.Thompson
4,50631334
answered Jan 24 at 12:50
bala4rtraining
112
edited Jan 24 at 12:53
Hunter.S.Thompson
4,50631334
edited Jan 24 at 12:53
Hunter.S.Thompson
4,50631334
edited Jan 24 at 12:53
Hunter.S.Thompson
4,50631334
4,50631334
answered Jan 24 at 12:50
bala4rtraining
112
answered Jan 24 at 12:50
bala4rtraining
112
answered Jan 24 at 12:50
bala4rtraining
112
112
I think you are restricting the rm command with root privileges altogether. I need this user to be able to delete files with root privileges but not the log file.
– E.Bülbül
Jan 24 at 13:01
In above example, I have given sample commands so that sudo user can use it. You can add /bin/rm then sudo user can delete it.
– bala4rtraining
Jan 24 at 13:14
If you want to restrict a particular log file then give the below line in /etc/sudoers file username ALL = /usr/bin/vi !/var/log/messages, /usr/bin/vi !/etc/group, /usr/bin/vi !/etc/fstab
– bala4rtraining
Jan 24 at 13:15
@bala4rtraining With scp, rsync, or su privileges in the command list I would be able to read/write/delete the log file. I don't think you can restrict sudo the way the OP is asking.
– Doug O'Neal
Jan 24 at 16:30
add a comment |Â
I think you are restricting the rm command with root privileges altogether. I need this user to be able to delete files with root privileges but not the log file.
– E.Bülbül
Jan 24 at 13:01
In above example, I have given sample commands so that sudo user can use it. You can add /bin/rm then sudo user can delete it.
– bala4rtraining
Jan 24 at 13:14
If you want to restrict a particular log file then give the below line in /etc/sudoers file username ALL = /usr/bin/vi !/var/log/messages, /usr/bin/vi !/etc/group, /usr/bin/vi !/etc/fstab
– bala4rtraining
Jan 24 at 13:15
@bala4rtraining With scp, rsync, or su privileges in the command list I would be able to read/write/delete the log file. I don't think you can restrict sudo the way the OP is asking.
– Doug O'Neal
Jan 24 at 16:30
I think you are restricting the rm command with root privileges altogether. I need this user to be able to delete files with root privileges but not the log file.
– E.Bülbül
Jan 24 at 13:01
I think you are restricting the rm command with root privileges altogether. I need this user to be able to delete files with root privileges but not the log file.
– E.Bülbül
Jan 24 at 13:01
In above example, I have given sample commands so that sudo user can use it. You can add /bin/rm then sudo user can delete it.
– bala4rtraining
Jan 24 at 13:14
In above example, I have given sample commands so that sudo user can use it. You can add /bin/rm then sudo user can delete it.
– bala4rtraining
Jan 24 at 13:14
If you want to restrict a particular log file then give the below line in /etc/sudoers file username ALL = /usr/bin/vi !/var/log/messages, /usr/bin/vi !/etc/group, /usr/bin/vi !/etc/fstab
– bala4rtraining
Jan 24 at 13:15
If you want to restrict a particular log file then give the below line in /etc/sudoers file username ALL = /usr/bin/vi !/var/log/messages, /usr/bin/vi !/etc/group, /usr/bin/vi !/etc/fstab
– bala4rtraining
Jan 24 at 13:15
@bala4rtraining With scp, rsync, or su privileges in the command list I would be able to read/write/delete the log file. I don't think you can restrict sudo the way the OP is asking.
– Doug O'Neal
Jan 24 at 16:30
@bala4rtraining With scp, rsync, or su privileges in the command list I would be able to read/write/delete the log file. I don't think you can restrict sudo the way the OP is asking.
– Doug O'Neal
Jan 24 at 16:30
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f419330%2fcan-i-restrict-a-user-with-root-privilegeswith-sudo-from-accessing-deleting-a%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
