Grep access on maillog for non root

permissions sudo centos

Solution 1:

You could use an acl on the file(s) to grant read permission to user

setfacl -m user:grepuser:r /var/log/maillog*

This as the advantage of allowing the user to use any tool that they wish.

This is also logrotate safe for maillog*

Solution 2:

Unless you know what specific strings the users will be searching for and the specific files they'll be checking using sudo is not a good solution for this. If you create a rule like this:

blizz ALL=root NOPASSWD: /bin/grep * /var/log/maillog*

The user will be able to run commands like this:

grep root /etc/shadow /var/log/maillog
grep = /root/my.cnf /var/log/maillog

They'll be able to read any file on the system. You can find more information about this issue here:

http://blog.csnc.ch/2012/10/dangerous-sudoers-entries-part-4-wildcards/

If you know what strings and files the user will be checking you could define separate rules for each scenario. For example:

Cmnd_Alias  MAILLOGA = /bin/grep 'Connection refused' /var/log/maillog
Cmnd_Alias  MAILLOGB = /bin/grep 'Connection refused' /var/log/maillog.1
Cmnd_Alias  MAILLOGC = /bin/grep 'imap-login' /var/log/maillog
Cmnd_Alias  MAILLOGD = /bin/grep 'imap-login' /var/log/maillog.1
blizz ALL=root NOPASSWD: MAILLOGA, MAILLOGB, MAILLOGC, MAILLOGD

However, this can be cumbersome and can result in an overly large sudo configuration.

Alternatively, instead of grep you could grant them access to the files via the more command, then they could search the files interactively:

Cmnd_Alias  MAILLOG = /bin/more /var/log/mailllog
Cmnd_Alias  MAILLOG1 = /bin/more /var/log/mailllog.1
Cmnd_Alias  MAILLOG2 = /bin/more /var/log/mailllog.2
Cmnd_Alias  MAILLOG3 = /bin/more /var/log/mailllog.3
blizz ALL=root NOPASSWD: MAILLOGA, MAILLOGB, MAILLOGC, MAILLOGD

However this doesn't allow the user to keep a history of their searches (e.g. .bash_history) or create their own scripts or aliases for searches. Plus if you have log rotation in place they won't be able to parse the compressed logs.

Note: Do not grant sudo access to the less command. A user could break out of the process, for example running !/bin/bash in less would give them root access to the system.

Another option is to have rules for them to cat the files so they can pipe them to grep as their heart sees fit. For example:

sudo cat /var/log/maillog | grep "anything can go here"

In the end the simplest, and likely the best solution, is to grant them read access to the logs by changing the permissions on the log files. You could do something like this:

groupadd logcheck
chgrp logcheck /var/log/maillog*
chmod g+r /var/log/maillog*
useradd -G logcheck blizz

And then they can use any tool they want to analyze the files (e.g. grep, zgrep, less, more, view, etc).

Related

Change MySQL root password with bash script
Can Windows 2008 DNS assign 2 host names to one IP address
How to enable ssh on startup in opensuse
How to detect linux distribution and version?
How to communicate with four separate LANs
docker cron not working
AWS Instance Password lost after Login
How to know if a Active Directory user can log in interactively
AD: OU for system administrator accounts
Can I delete access log files in nginx. Will it cause an issue
AWS IAM won't let my users change their passwords
Can anyone recommend a perimeter SPAM filtering service? [closed]