2

I have created a file which resides inside my directory on a unix server. People have sudo privileges. How can I restrict them to read that file (even when they have sudo previleges) ?

anurag
  • 362
  • 2
    If they have sudo priveleges then they can just change to you anyway. – 123 Jan 13 '16 at 15:44
  • 2
    giving sudo to the users is giving the keys to the kingdom. Unless you are using a 3rd party privilege broker application, which acts as a wrapper around what seems to be the root account, what you are trying to do is impossible with the standard UNIX operation. root user is meant to be the absolute power to do anything, in the case of an administrative need. But today, unfortunately it is being used to fix problems created by sloppy coding. – MelBurslan Jan 13 '16 at 15:48
  • Do you have the ability to modify the sudoers file? – Paul Calabro Jan 13 '16 at 15:52
  • 1
    You could always use sudo chattr +i file and hope that none of them know how to undo it. – 123 Jan 13 '16 at 16:01
  • 1
    @PaulCalabro Yes I do have access to sudoers file... but please do not ask me to remove other users' id from this :) – anurag Jan 13 '16 at 16:02
  • @User112638726 : can you please explain this chattr thing – anurag Jan 13 '16 at 16:02
  • Sets the file to immutable, so pretty much read only, even root can't edit it unless you remove the attribute. – 123 Jan 13 '16 at 16:04
  • In your sudoer file you can specify what identity and what kind of program your users can use. Perhaps you can restrict their access. Did they really need root permissions ? – dervishe Jan 13 '16 at 16:11

2 Answers2

2

Providing sudo access does not have to equate to:

giving the keys to the kingdom.

Just don't be so generous with your sudoers permissions. If you want them to just have access to read a file, provide only sudo access to cat.

Also, be careful of granting sudo access to apps like vim or less, which allow you to drop into a shell (as root).

1

SELinux would be a way to do this -> https://en.wikipedia.org/wiki/Security-Enhanced_Linux

By definition, root has access to everything, so you won't have much luck otherwise, I'm afraid.

mikeb
  • 328