best ways allowing a group to edit some /etc files
we have a group called JBossAdmins and users of this group must edit some /etc files on a RHEL 6:
- /etc/httpd/*
- /etc/java/*
- /etc/jboss/*
my first idea was to give the following sudo permissions:
%JBossAdmins ALL=(root) /bin/vi /etc/httpd/*
%JBossAdmins ALL=(root) /bin/vi /etc/java/*
%JBossAdmins ALL=(root) /bin/vi /etc/jboss/*
Obviously, the users can now start the vi as root and then edit any file by executing f.e. :e /etc/passwd
So sudo is not a good idea.
Then it came into my mind to do a chgrp JBossAdmins -R path
and then a chmod g+rw -R path
.
But i'm not quite sure whether this is a good idea either.
So considering the security implications, what's the best practice allowing a group of users to edit some /etc file? Are there any better alternatives than sudo or chgrp/chmod?
Solution 1:
Giving someone sudo
in vi
is always a bad idea. They can get out of vi with a root-shell by issuing the :shell
command. You don't want that.
An alternative for you might be sudoedit
.
You can then give your users/groups rights for sudoedit
in the sudoers
-file:
%JBossAdmins <hostname>: sudoedit /etc/httpd/*
%JBossAdmins <hostname>: sudoedit /etc/java/*
%JBossAdmins <hostname>: sudoedit /etc/jboss/*
Solution 2:
You could use acls instead and do something like
setfacl -m g:JBossAdmins:rw /path/to/file
which would grant r/w permission to anyone in the JBossAdmins group to the specific files.