we have a group called JBossAdmins and users of this group must edit some /etc files on a RHEL 6:
- /etc/httpd/*
- /etc/java/*
- /etc/jboss/*
my first idea was to give the following sudo permissions:
%JBossAdmins ALL=(root) /bin/vi /etc/httpd/*
%JBossAdmins ALL=(root) /bin/vi /etc/java/*
%JBossAdmins ALL=(root) /bin/vi /etc/jboss/*
Obviously, the users can now start the vi as root and then edit any file by executing f.e. :e /etc/passwd
So sudo is not a good idea.
Then it came into my mind to do a chgrp JBossAdmins -R path
and then a chmod g+rw -R path
.
But i'm not quite sure whether this is a good idea either.
So considering the security implications, what's the best practice allowing a group of users to edit some /etc file? Are there any better alternatives than sudo or chgrp/chmod?