Permission to read a specific file with sudo

Question

For reasons, I need to read /root/.ssh/authorized_keys with a user who hasn't the right to read it. Obviously, I can't change the rights (nor the ACL) of the file, because ssh wouldn't like it.

I access to the file using Python:

try:
    with open("/root/.ssh/authorized_keys",'r') as f:
        foo()
except EnvironmentError:
    print 'Bad permissions and/or file not existing'

The python script will be executed by an unprivileged user with sudo. What are the minimal permissions I have to put in the sudoers file to allow the script to read the file?

Answer 1

Sudo is for executing, not reading, files. If someone runs that python script with sudo, the entire script will have root rights, and will have no problem reading the file. But it will also have no problem adding keys to it, or changing the root password, or just doing an rm -rf /*.

If you want to ONLY grant read access to a specific file using sudo, the best way to do it is to give the user sudo rights to print that file to stdout.

For example, you can write a script that does nothing but cat the file. Put this in /usr/bin/get_root_authkeys.sh:

#!/bin/sh
cat /root/.ssh/authorized_keys

(make sure that file is executable, but not writable by the user).

Then put this in sudo:

username ALL= (root:root) NOPASSWD /usr/bin/get_root_authkeys.sh

A slightly simpler solution: You can give them sudo rights to the cat command, e.g.

username ALL= (root:root) NOPASSWD cat /root/.ssh/authorized_keys

From there, instead of doing an fopen, you execute that sudo command (e.g. sudo /usr/bin/get_root_authkeys.sh or sudo cat /root/.ssh/authorized_keys) and read its output.

Answer 2

Try with this in /etc/sudoers:

username ALL = (root:root) NOPASSWD: /root/.ssh/authorized_keys