Secure Cooking with Linux, Part 2
Pages: 1, 2
Recipe 5.11. Permitting Read-Only Access to a Shared File via sudo
Author's note: Sharing a file with multiple users is easy with Linux groups. But what if you want to restrict some people to have read-only access to a file, while giving others read/write access? This recipe, from Chapter 5, "Authorization Controls," explains how
sudo can come to the rescue.
Two or more users want to share a file, some read/write and the others read-only.
Create two Linux groups, one for read/write and one for read-only users:
/etc/group: readers:x:300:r1,r2,r3,r4 writers:x:301:w1,w2,w3
Permit the writers group to write the file via group permissions:
$ chmod 660 shared_file $ chgrp writers shared_file
Permit the readers group to read the file via
/etc/sudoers: %readers ALL = (w1) /bin/cat /path/to/shared_file
This situation could arise in a university setting, for example, if a file must be writable by a group of teaching assistants but read-only to a group of students.
If there were only two users -- one reader and one writer -- you could dispense
with groups and simply let the reader access the file via
sudo. If smith is the reader and jones the writer, and we give
smith the following capability:
/etc/sudoers: smith ALL = (jones) NOPASSWD: /bin/cat /home/jones/private.stuff
then jones can protect her file:
jones$ chmod 600 $HOME/private.stuff
and smith can view it:
smith$ sudo -u jones cat /home/jones/private.stuff
sudo(8), sudoers(5), group(5), chmod(1), chgrp(1).
Check back here next week for recipes from Linux Security Cookbook on how to use PAM to restrict authentication on Linux systems, and how to use SMTP to securely accept connections from arbitrary clients.
Return to the Linux DevCenter.