4

I have a limited user and access to root. How can I give that user the possibility to remove files owned by root?

I have the following line added in /etc/sudoers.d/john : john ALL=(ALL) NOPASSWD:/var/opt/OV/tmp/*yet I'm unable to perform touch or rm commands under /var/opt/OV/tmp. What do I need extra?

I don't know the syntax or how it should exactly be set, so the user john can execute only rm or touch under /var/opt/OV/tmp/. I'm thinking somewhere allong the lines Cmnd_Alias REMOVE=/bin/rm Cmnd_Alias CREATE=/bin/touch john ALL = (ALL) NOPASSWD: REMOVE, CREATE, /var/opt/OV/tmp. Let me know if this might work or if I need something added/removed. No, the chmod&chown commands will not help since the files under /var/opt/OV/tmp are owned by root.

Improve this question
8
  • 4
    That last bit of the line should be a command with optional arguments. Allowing someone to do rm /var/log/* using sudo would, in my humble opinion, be a really bad idea. It would be better to allow them to run a script (with no arguments) that deleted pre-selected files (or rotated them, even better). Commented Feb 22, 2019 at 13:41
  • Could you please give an example? Is john ALL = (ALL) NOPASSWD: /var/log/* rm rf enough ? Commented Feb 22, 2019 at 13:45
  • 2
    It's an especially bad idea because of the way sudo matches wildcards (across word boundaries) - man sudoers even warns against this specifically Commented Feb 22, 2019 at 14:01
  • 1
    surely more like john ALL = (ALL) NOPASSWD: /bin/rm -rf /var/log/* ? This totally wrecks the security of the server. John would be able to sudo rm -rf /var/log/../../etc and trash the server. Commented Feb 22, 2019 at 14:01
  • 1
    Just because i am curious: Why should a normal user delete the files under /var/log? If you have storage limitations, consider the use of 'logrotate'. Commented Feb 22, 2019 at 15:11

1 Answer 1

Reset to default
2

You can give an ordinary user permissions to remove files owned by root simply by giving them write access to the parent directory. No need for sudo.

In the example, you want the user to be able to delete files from /var/log, so you could change the permissions on that directory so your user could create (and therefore delete) files.

You might choose to do this by creating a new group that contained only your user, and changing the group ownership of the directory to match, and then adding group write permission.

chgrp johnsgroup /var/log
chmod g+w /var/log

Please note that I have not tested this suggestion, and it may be that the group write access is already required by some other application in order to write files to the directory. YMMV as they say.

Improve this answer
7
  • Thank you for this suggestion, however, I would prefer these files to still be owned by root. I just need them removed by john under root's ownership. Commented Feb 24, 2019 at 12:39
  • @AiureaAdicatotYO who said anything about the files being owned by john? I didn't. Commented Feb 24, 2019 at 21:10
  • It's the same as chown root:john and the group will be changed. I don't really need any modifications to the folder or files. Commented Feb 25, 2019 at 7:29
  • 3
    I believe I found what I needed. setfacl -R -m 'u:john:rwx' /var/opt/ . Commented Feb 25, 2019 at 8:26
  • 2
    ACLs are the bane of sysadmins. They can often be the source of really hard-to-find dysfunctions. Most generic directory-listing and permission-listing tools will not show them To see them, you need specific command-line utilities, which are not always installed by default. Parent-directory permissions answer upvoted. Commented Oct 20, 2020 at 9:43

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.