best ways allowing a group to edit some /etc files

we have a group called JBossAdmins and users of this group must edit some /etc files on a RHEL 6:

  • /etc/httpd/*
  • /etc/java/*
  • /etc/jboss/*

my first idea was to give the following sudo permissions:

%JBossAdmins ALL=(root) /bin/vi /etc/httpd/*
%JBossAdmins ALL=(root) /bin/vi /etc/java/*
%JBossAdmins ALL=(root) /bin/vi /etc/jboss/*

Obviously, the users can now start the vi as root and then edit any file by executing f.e. :e /etc/passwd

So sudo is not a good idea.

Then it came into my mind to do a chgrp JBossAdmins -R path and then a chmod g+rw -R path.

But i'm not quite sure whether this is a good idea either.

So considering the security implications, what's the best practice allowing a group of users to edit some /etc file? Are there any better alternatives than sudo or chgrp/chmod?


Solution 1:

Giving someone sudo in vi is always a bad idea. They can get out of vi with a root-shell by issuing the :shell command. You don't want that.

An alternative for you might be sudoedit. You can then give your users/groups rights for sudoedit in the sudoers-file:

%JBossAdmins <hostname>: sudoedit /etc/httpd/*
%JBossAdmins <hostname>: sudoedit /etc/java/*
%JBossAdmins <hostname>: sudoedit /etc/jboss/*

Solution 2:

You could use acls instead and do something like

    setfacl -m g:JBossAdmins:rw /path/to/file

which would grant r/w permission to anyone in the JBossAdmins group to the specific files.