sudo or acl or setuid/setgid?

sudo access-control-list setuid setgid

for a reason I do not really understand, everyone wants sudo for all and everything. At work we even have as many entries as there are way to read a logfile (head/tail/cat/more, ...).

I think, sudo is defeating here.

I'd rather use a mix of setgid/setuid directories and add ACL here and there but I really need to know what are the best practices before starting up.

Our servers have %admin, %production, %dba, %users -i.e many groups and many users. Each service (mysql, apache, ...) has its own way to install privileges but members of the %production group must be able to consult configuration file or even log files. There is still the solution to add them into the right groups (mysql...) and set the good permission. But I do not want to usermod all users, I do not want to modify standards permissions since it could change after each upgrade.

On the other hand, setting acls and/or mixing setuid/setgid on directories is something I could easily do without "defacing" the standard distribution.

What do you think about this ?

Taking the mysql example, that would look like this:

setfacl d:g:production:rx,d:other::---,g:production:rx,other::--- /var/log/mysql /etc/mysql

Do you think this is good practise or should I definetely usermod -G mysql and play with standard permissions system ?

Thank you


Solution 1:

Best practices: maintain the sudoers file and use sudo.

On my personal machine, I prefer setuid/gid, but I'm the only one on my computer; and I don't do it to anything blatantly dangerous like rm.

Solution 2:

Best practices (and most common) tend toward using sudo. Sudo offers you fine-grained control, and the configuration can handle multiple machines all at once.

Using ACLs can complement this - sudo handles operations as root; ACLs give and take away rights to directories and files to users and groups. I wouldn't count on setgid and setuid to do anything reasonable.

I would also implement the wheel group; this will help increase security. Check to see if your su program supports the wheel group.

One more thing: if you have view or less as a way to read a logfile, then you are at risk: both of these programs offer shell access.

Related

cron output options when using curl
cpio VS tar and cp
Use linefeed or carriage return in Subversion commit message from the command line
MySQL command appends '@localhost' to username
Hosting an NTP server on a standalone network
Using modem for sending voice recording
Monitoring hardware RAID on VMWare ESXi
Allow Apache to run a command as a different user
Email when Linux server disk is full?
"Darkening of Tristram" paragon portraits on consoles
Why am I receiving repeated captchas (10+ occurrences) after a softban?
Can diseases affect NPCs and creatures in Skyrim?