how to restrict a user to access the file

Question

I have created a file which resides inside my directory on a unix server. People have sudo privileges. How can I restrict them to read that file (even when they have sudo previleges) ?

If they have sudo priveleges then they can just change to you anyway. — 123, Jan 13 '16 at 15:44
giving sudo to the users is giving the keys to the kingdom. Unless you are using a 3rd party privilege broker application, which acts as a wrapper around what seems to be the root account, what you are trying to do is impossible with the standard UNIX operation. root user is meant to be the absolute power to do anything, in the case of an administrative need. But today, unfortunately it is being used to fix problems created by sloppy coding. — MelBurslan, Jan 13 '16 at 15:48
You could always use sudo chattr +i file and hope that none of them know how to undo it. — 123, Jan 13 '16 at 16:01
@PaulCalabro Yes I do have access to sudoers file... but please do not ask me to remove other users' id from this :) — anurag, Jan 13 '16 at 16:02
Sets the file to immutable, so pretty much read only, even root can't edit it unless you remove the attribute. — 123, Jan 13 '16 at 16:04
In your sudoer file you can specify what identity and what kind of program your users can use. Perhaps you can restrict their access. Did they really need root permissions ? — dervishe, Jan 13 '16 at 16:11

Paul Calabro · Answer 1 · 2016-01-13T21:12:34.527

2

Providing sudo access does not have to equate to:

giving the keys to the kingdom.

Just don't be so generous with your sudoers permissions. If you want them to just have access to read a file, provide only sudo access to cat.

Also, be careful of granting sudo access to apps like vim or less, which allow you to drop into a shell (as root).

edited Jan 13 '16 at 21:12

answered Jan 13 '16 at 16:16

Paul Calabro

530

1

Actually one can get root shell form less as easy as from vim – user1700494 Jan 13 '16 at 16:51
Interesting! How do you shell escape in less? – Paul Calabro Jan 13 '16 at 16:57
1

:!vi - moves you to vi, the rest of way is known to you :) – user1700494 Jan 13 '16 at 17:04
Whoa! Just tried it. Did not know about! [spine chill] Thanks for the heads up! – Paul Calabro Jan 13 '16 at 17:39

score 1 · Answer 2 · answered Jan 13 '16 at 15:39

1

SELinux would be a way to do this -> https://en.wikipedia.org/wiki/Security-Enhanced_Linux

By definition, root has access to everything, so you won't have much luck otherwise, I'm afraid.

answered Jan 13 '16 at 15:39

mikeb

328

how to restrict a user to access the file

2 Answers2