I'm building a LEMP stack script powered by bash scripts and CLI aliases. For security reasons, all of the bash scripts, and the stack config file (also bash syntax) are owned by root:root.
I added some bash alias commands for easier management inside the sudo user .bashrc file to save keystrokes when the sudo user wants to run a bash script.... these work great, however, I'd like to expand these by allowing certain alias commands to integrate with variable options defined in the stack config file.
For example, SITE_NOINDEX is defined in the config file owned by root:root and maybe I want to have a bash alias available to the sudo user to view this option's value.
The problem is that the config file is chmod 0700 for security reasons, and it seems the easiest fix is to change all the bash scripts and config file to 0740 and either add the sudo user to group "root" or change the ownership of all scripts to be something less secure like root:sudo which seems a little bit goofy... is there a better solution here?
Edit: currently Permission denied error is given if I try to simply source the stack config file inside sudo user's .bashrc file (after trying to restart bash session). The rest of the normal aliases work fine but none of the shell variables in the config file are readable with current permissions.
Related: How to secure a sudo - powered script
Related: What's the best, secure way to share some .bashrc source between users and root?
.bashrc, which is understandable; but how about a split configuration file? You’d have one with root-only settings (root:root, permissions 0700), and one with non-confidential settings (root:rootstill, but permissions 0755). – Stephen Kitt Aug 23 '22 at 08:43rootgroup (or root user tosudogroup)... neither one is deal. It either breaks "single source of truth" or requires messy user groups! – Jesse Nickles Aug 23 '22 at 10:31