4

we have a group called JBossAdmins and users of this group must edit some /etc files on a RHEL 6:

  • /etc/httpd/*
  • /etc/java/*
  • /etc/jboss/*

my first idea was to give the following sudo permissions:

%JBossAdmins ALL=(root) /bin/vi /etc/httpd/*
%JBossAdmins ALL=(root) /bin/vi /etc/java/*
%JBossAdmins ALL=(root) /bin/vi /etc/jboss/*

Obviously, the users can now start the vi as root and then edit any file by executing f.e. :e /etc/passwd

So sudo is not a good idea.

Then it came into my mind to do a chgrp JBossAdmins -R path and then a chmod g+rw -R path.

But i'm not quite sure whether this is a good idea either.

So considering the security implications, what's the best practice allowing a group of users to edit some /etc file? Are there any better alternatives than sudo or chgrp/chmod?

JMW
  • 1,451
  • 4
  • 19
  • 27

2 Answers2

5

Giving someone sudo in vi is always a bad idea. They can get out of vi with a root-shell by issuing the :shell command. You don't want that.

An alternative for you might be sudoedit. You can then give your users/groups rights for sudoedit in the sudoers-file:

%JBossAdmins <hostname>: sudoedit /etc/httpd/*
%JBossAdmins <hostname>: sudoedit /etc/java/*
%JBossAdmins <hostname>: sudoedit /etc/jboss/*
Bart De Vos
  • 17,761
  • 6
  • 62
  • 81
4

You could use acls instead and do something like

    setfacl -m g:JBossAdmins:rw /path/to/file

which would grant r/w permission to anyone in the JBossAdmins group to the specific files.

Migs
  • 338
  • 3
  • 7
  • This is exactly what you should do. Using `sudo` is a clunky solution. How about if they use a different editor? Or if the want to use `less` or `cat` – Belmin Fernandez Feb 10 '12 at 15:05