[solved] Sudo and file access

omgwtfbyobbq · 2010-07-25 07:56:08

If I want certain users to be able to access wakealarm, do I have create a script in order to modify wakealarm and edit sudoers so the users can run the script as root, or is there a way via the sudoers file I can grant to specific users access to just wakealarm?

Last edited by omgwtfbyobbq (2010-07-25 22:15:14)

karol · 2010-07-25 07:57:34

Files permissions can do that: you specify a group that can read / write / execute that file / directory and add some users to the group.

omgwtfbyobbq · 2010-07-25 07:59:31

I'd rather not mess w/ the file permissions because other programs (mythtv offhand) use wakealarm too.

karol · 2010-07-25 08:02:48

omgwtfbyobbq wrote:

I'd rather not mess w/ the file permissions because other programs (mythtv offhand) use wakealarm too.

So use visudo and add your program there.

http://ubuntu-tutorials.com/2007/03/01/ … th-visudo/

Last edited by karol (2010-07-25 08:05:07)

omgwtfbyobbq · 2010-07-25 08:06:32

I know I can do that, but is there a way I can just use sudo to dictate file access for individual users? I don't need or want to run the whole script as root (I suppose I could create a script that only accessed wakealarm, let that grab a variable from my other script, and let my users execute that as root, but that seems too kludgy), I'd just like to let certain users access wakealarm while maintaining file permissions.

Last edited by omgwtfbyobbq (2010-07-25 08:09:10)

karol · 2010-07-25 08:08:37

omgwtfbyobbq wrote:

I know I can do that, but is there a way I can just use sudo to dictate file access for individual users?

Sure, there's a bunch of examples in the man page http://www.gratisoft.us/sudo/sudo.man.html

To edit the index.html file as user www:
$ sudo -u www vi ~www/htdocs/index.html

omgwtfbyobbq wrote:

I suppose I could create a script that only accessed wakealarm

Above you have a one-liner where you edit as user www - is that what you want?

omgwtfbyobbq wrote:

is there a way I can just use sudo to dictate file access for individual users?

Yes, you can let individual users (or groups) run all programs or just a specified few.

Last edited by karol (2010-07-25 08:19:22)

omgwtfbyobbq · 2010-07-25 08:17:06

Not as far as I know. Access has to be w/o a password. If possible, I'm guessing the config would look something like this.

%users ALL = NOPASSWD: echo $somenumber > /sys/class/rtc/rtc0/wakealarm

I shouldn't let users run echo willy nilly, but I can't seem to figure out how to restrict access to specific files.

karol · 2010-07-25 08:21:52

omgwtfbyobbq wrote:

Not as far as I know. Access has to be w/o a password. If possible, I'm guessing the config would look something like this.
%users ALL = NOPASSWD: echo $somenumber > /sys/class/rtc/rtc0/wakealarm
I shouldn't let users run echo willy nilly, but I can't seem to figure out how to restrict access to specific files.

Ah, so you want them to run echo, not some_other_app. I think you need to create a script, 'chmod +x' it and put it in the sudoers file.

%users ALL = NOPASSWD: echo $somenumber > /sys/class/rtc/rtc0/wakealarm

This allows all users to run it.

%myusers ALL = NOPASSWD: /path/to/myscript

This allows only the users in 'myusers' group to run '/path/to/myscript' script.

In the mean time I edited the previous post :-)

Last edited by karol (2010-07-25 08:24:38)

omgwtfbyobbq · 2010-07-25 08:25:15

That's what I was thinking, but it's just so clumsy.

karol · 2010-07-25 08:30:40

omgwtfbyobbq wrote:

That's what I was thinking, but it's just so clumsy.

The users still need to have permissions regarding editing /sys - giving them permission for that script doesn't automatically grant that.

karol · 2010-07-25 08:34:29

Maybe you can create another layer: a cronjob that looks inside a file that users can edit and sets wakealarm to the desired value. I don't know if it's more or less clumsy in your opinion.

omgwtfbyobbq · 2010-07-25 08:44:40

I'm not sure if it would be suitable. At least it's another option. Thanks for the help btw.

karol · 2010-07-25 08:49:59

omgwtfbyobbq wrote:

I'm not sure if it would be suitable. At least it's another option. Thanks for the help btw.

This way you can set file permissions (write) for that file and keep all the other permissions on your system intact.

ewaller · 2010-07-25 15:41:17

I really hate to say it, but this is an area where Windows has a leg up on us.

There is a concept called ACL (Access Control List) that provides finer granularity for access permissions than those provided by user, group, and other.
DEC's VMS was very good it, and NTFS is pretty good.

There now seems to be support for it in linux -- try man acl, or try this article:http://linuxcommando.blogspot.com/2007/ … s-you.html

loafer · 2010-07-25 19:53:11

ewaller wrote:

...DEC's VMS was very good it...

OpenVMS is still very good at it. It's not dead and some of us use it everyday. :-)

omgwtfbyobbq · 2010-07-25 22:14:31

ACL looks perfect, thanks for the info ewaller!

Arch Linux

#1 2010-07-25 07:56:08

[solved] Sudo and file access

#2 2010-07-25 07:57:34

Re: [solved] Sudo and file access

#3 2010-07-25 07:59:31

Re: [solved] Sudo and file access

#4 2010-07-25 08:02:48

Re: [solved] Sudo and file access

#5 2010-07-25 08:06:32

Re: [solved] Sudo and file access

#6 2010-07-25 08:08:37

Re: [solved] Sudo and file access

#7 2010-07-25 08:17:06

Re: [solved] Sudo and file access

#8 2010-07-25 08:21:52

Re: [solved] Sudo and file access

#9 2010-07-25 08:25:15

Re: [solved] Sudo and file access

#10 2010-07-25 08:30:40

Re: [solved] Sudo and file access

#11 2010-07-25 08:34:29

Re: [solved] Sudo and file access

#12 2010-07-25 08:44:40

Re: [solved] Sudo and file access

#13 2010-07-25 08:49:59

Re: [solved] Sudo and file access

#14 2010-07-25 15:41:17

Re: [solved] Sudo and file access

#15 2010-07-25 19:53:11

Re: [solved] Sudo and file access

#16 2010-07-25 22:14:31

Re: [solved] Sudo and file access

Board footer