Home / server / Questions / 358673
Accepted
JMW
Asked: 2012-02-11 00:47:15 +0800 CST

best ways allowing a group to edit some /etc files

  • 772

we have a group called JBossAdmins and users of this group must edit some /etc files on a RHEL 6:

  • /etc/httpd/*
  • /etc/java/*
  • /etc/jboss/*

my first idea was to give the following sudo permissions:

%JBossAdmins ALL=(root) /bin/vi /etc/httpd/*
%JBossAdmins ALL=(root) /bin/vi /etc/java/*
%JBossAdmins ALL=(root) /bin/vi /etc/jboss/*

Obviously, the users can now start the vi as root and then edit any file by executing f.e. :e /etc/passwd

So sudo is not a good idea.

Then it came into my mind to do a chgrp JBossAdmins -R path and then a chmod g+rw -R path.

But i'm not quite sure whether this is a good idea either.

So considering the security implications, what's the best practice allowing a group of users to edit some /etc file? Are there any better alternatives than sudo or chgrp/chmod?

security sudo vi

2 Answers

  1. Best Answer

    Giving someone sudo in vi is always a bad idea. They can get out of vi with a root-shell by issuing the :shell command. You don't want that.

    An alternative for you might be sudoedit. You can then give your users/groups rights for sudoedit in the sudoers-file:

    %JBossAdmins <hostname>: sudoedit /etc/httpd/*
%JBossAdmins <hostname>: sudoedit /etc/java/*
%JBossAdmins <hostname>: sudoedit /etc/jboss/*
    • 5

  2. You could use acls instead and do something like

        setfacl -m g:JBossAdmins:rw /path/to/file

    which would grant r/w permission to anyone in the JBossAdmins group to the specific files.

    • 4