I have an application running on my servers (a data backup utility), which is administrated by some guys which have barely no UNIX know how. Most administration is done via a GUI but sometimes they need to edit files, watch logfiles or delete files within their application. I am thinking about confuguring sudoers to enable them the things they need to do. Since I am not an experienced sudo user I am thinking about some configuration pitfalls.
Host_Alias SERV_BACKUP = serv1, serv2, serv3
User_Alias BACKUPADM = user1, user2, user3
# can I limit them to delete files within their dir with this command?
BACKUPADM SERV_BACKUP = NOPASSWD: /usr/bin/rm /my/applicationdir/*
# how save is this? think about "sudo cat /my/applicationdir/mypasswd > /etc/passwd"
# can I prevent this by any option(s)?
BACKUPADM SERV_BACKUP = NOPASSWD: /usr/local/bin/less /my/applicationdir/*
BACKUPADM SERV_BACKUP = NOPASSWD: /usr/bin/cat /my/applicationdir/*
since the application is linked to the OS Filesystems (/var /etc /opt) a chroot environment might not be the best solution.
Any suggestions how to configure sudo save?
Best Regards, Franz
--
System Manager (Solaris, HP-UX, Linux, some networking, some SAN)
Host_Alias SERV_BACKUP = serv1, serv2, serv3
User_Alias BACKUPADM = user1, user2, user3
# can I limit them to delete files within their dir with this command?
BACKUPADM SERV_BACKUP = NOPASSWD: /usr/bin/rm /my/applicationdir/*
# how save is this? think about "sudo cat /my/applicationdir/mypasswd > /etc/passwd"
# can I prevent this by any option(s)?
BACKUPADM SERV_BACKUP = NOPASSWD: /usr/local/bin/less /my/applicationdir/*
BACKUPADM SERV_BACKUP = NOPASSWD: /usr/bin/cat /my/applicationdir/*
since the application is linked to the OS Filesystems (/var /etc /opt) a chroot environment might not be the best solution.
Any suggestions how to configure sudo save?
Best Regards, Franz
--
System Manager (Solaris, HP-UX, Linux, some networking, some SAN)