Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
I want a user to be in the sudoers file, but not be able to see the contents of a specific file. What should I do?
Since this is in the "Security" forum, I'll suggest you give some thought to this. The main idea is that anyone you give superuser/sudo/elevated rights to on a system is someone you can TRUST. If you can't...you shouldn't be giving them those privileges.
But you CAN do what you're after...maybe. The sudoers file can be edited to allow only SOME commands to be run with elevated privileges, and some not to be run at all. So you could go in and edit sudoers to disallow running vi/emacs as sudo with that file name. For example:
...but that's pointless if you allow them to edit/run visudo, or allow them access to OTHER commands (like cp, mv, etc.), since they can just copy the file elsewhere, rename it, then look at it. There are also things you can do with sudoedit, or using ACL's, but it's a problem that has no real solution. Anyone with elevated rights has an attack vector that makes things easy. If they know what they're doing, you aren't going to keep them out.
This should require a lot of thought before you try to implement anything. Personally, I'd not user sudoers, but just encrypt the file and not give that person the password.
Assuming you are talking about giving this user root privileges, and want them to be able to view every other file except for the one you are concerned about, that's going to require more than you can do (practically) in the sudoers file alone.
Encrypting the file is one thing. But when the files owner decrypts the file to use it, those decrypted contents will be in system memory which root can read. Yes, that will require a bit of system knowledge to get at, so it depends on how sophisticated this specific sudoer is to determine if this is a security concern worth bothering with.
If you give someone root access, you are giving them the keys to your kingdom. The only way to protect against them abusing their privilege is to move the file you are concerned about to a different kingdom (a different computer).
You can indeed give a sudoer very limited root privileges in the sudoers file. Permission to execute only a few specific commands. But it sounds like you are wanting what I mentioned above, "full root access, except for this one file". That is going to be difficult to implement. Encryption of the file is a good move, especially if your sudoer is not a crackerjack sysadmin that is used to dealing with raw system memory. Moving the file to a different computer takes it away from the sudoers direct grasp, but remember that if you access that remote from from the computer that the sudoer exists on, they still may be able to intercept your communications and see that file.
It may well be that you are looking at an "XY Problem", where you are expressing a problem in terms of what you think will solve it, versus the one that is most appropriate.
This requirement might reasonably be "parsed" thusly; "Why does this user need to be 'in the sudoers file'," yet not be allowed to access 'a particular object?'" It seems quite clear to me that 'the actual issue' has to do with "the security privileges that this user is entitled to have." If the user's capabilities and access are to be limited, then it is fairly axiomatic that he cannot be "rootly."
Last edited by sundialsvcs; 07-24-2023 at 09:52 PM.
this should go in the other direction, you need to allow only what is really required, nothing more. (for example allow editing a single config file). But if you allowed everything you cannot deny access to only one file, that is impossible. And actually if you could somehow manage it the user will easily find another way to access that file.
If it is just one file you do not want the person to see, why not encrypt it with gpg, ccrypt or even use 7zip. You need passwords/passphrases when you do this and even root has no access without the passphrase. There are a number of sites explaining these options.
Technically speaking, the ACL mechanism can be very specific. However, I echo my original "XY Problem" sentiment. If you launch a process successfully using "sudo," then that process runs with "root privileges." Therefore, if you want that process to be limited, especially in such a particular way, then "sudo" is categorically not the proper solution to the problem.
Also note: while the concept of "ACLs" is different between (network and native) filesystems, both in terms of how they work and what they can and cannot do, they are by-now pretty much supported everywhere. In other words, "you are not limited by the -rwxrwxrwx "Unix® file permissions mask." Your Mileage May Vary™ but this is the proper place to look – probably not "sudo."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.