?

Log in

sudo for write access to a single file - Linux Help Desk [entries|archive|friends|userinfo]
linuxsupport

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

sudo for write access to a single file [Jan. 4th, 2010|09:27 am]
linuxsupport

linuxsupport

[pkbarbiedoll]
Can sudo be used to grant write access to a single file? I've granted sudoer access to a script, but this script writes to a log file. Currently the log file is chmod 644, and sudoers are unable to use the script due to incorrect permissions on the log file. I could chmod 666 to everyone, but that would be problematic.
LinkReply

Comments:
[User Picture]From: poly_scott
2010-01-04 02:51 pm (UTC)
Sure. You could use ACL's to give just the user the script runs as perms to the file where everyone else wouldn't have them. Then you could lock the file down even farther (0600 for example) and let the ACL grant the needed access to just who needs it. This would require that ACL support be in your kernel. What distro?
(Reply) (Thread)
[User Picture]From: pkbarbiedoll
2010-01-04 02:58 pm (UTC)
RHEL 5
(Reply) (Parent) (Thread)
[User Picture]From: poly_scott
2010-01-04 03:05 pm (UTC)
Ah. We're a mostly Debian/Ubuntu shop, so I'm not sure what packages you'll need. You can must likely use up2date to install whatever modules you need for ACL's if they are not included in the standard stock kernel though. If you do not have ACL's already, you will have to reboot after installing support for them. Sucks, but it's a low level file system thing.
(Reply) (Parent) (Thread)
From: pengshui_master
2010-01-04 08:24 pm (UTC)
If you not near the 16 groups per user - why not create a custom group for those users and put the file in that group with mode 660.

That way you don't need ACL support
(Reply) (Thread)
[User Picture]From: pkbarbiedoll
2010-01-04 08:32 pm (UTC)
That was my temporary workaround actually. I'm fine with leaving things that way, but wondered whether it could be done within the confines of sudoers.
(Reply) (Parent) (Thread)
[User Picture]From: tychoish
2010-01-05 03:19 am (UTC)
chmod +s the script, if it's suid safe?

this isn't going to be distro specific.
(Reply) (Thread)
From: oholiab
2010-01-06 10:36 pm (UTC)
chown the file to whatever group sudoers is and make it 664.

Traditionally it's wheel I think, but that might be distro specific
(Reply) (Thread)