Sudo and limited rights

Patrick Boutilier boutilpj at ednet.ns.ca
Mon Oct 31 12:43:28 UTC 2011 

On 10/31/2011 09:40 AM, Anne Wilson wrote:
> On Monday 31 Oct 2011 12:33:14 Patrick Boutilier wrote:
>> On 10/31/2011 09:27 AM, Anne Wilson wrote:
>>> On Monday 31 Oct 2011 12:21:10 Patrick Boutilier wrote:
>>>> On 10/31/2011 09:16 AM, Anne Wilson wrote:
>>>>> On Monday 31 Oct 2011 10:40:12 Patrick Boutilier wrote:
>>>>>> On 10/31/2011 07:33 AM, Anne Wilson wrote:
>>>>>>> I'm fed up of having to be root to read log files when
>>>>>>> troubleshooting. I'd like to add a sudo line that gives me read-only
>>>>>>> rights to /var/log/ - is this possible?  I've not found any example
>>>>>>> of limted rights like that - and I don't want to allow write access
>>>>>>> to anyone other than root.
>>>>>>>
>>>>>>> Anne
>>>>>>
>>>>>> Not really a KDE issue, but facl should work. $user will be your
>>>>>> userid.
>>>>>>
>>>>>> setfacl -R -m u:$user:r /var/log/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> This one will give you access to newly created logs files without
>>>>>> having to run the above again.
>>>>>>
>>>>>>
>>>>>> setfacl -d -R -m u:$user:r /var/log/
>>>>>
>>>>> Thanks.  Unfortunately it doesn't seem to work - kwrite still shows an
>>>>> empty file even though I can see the size of it indicating that it is
>>>>> quite big.
>>>>>
>>>>> Anne
>>>>
>>>> Which file in /var/log/ ?
>>>>
>>>> What does getfacl /var/log/<file>   show?
>>>
>>> # file: var/log/dmesg
>>> # owner: root
>>> # group: root
>>> user::rw-
>>> user:anne:r--
>>> group::r--
>>> mask::r--
>>> other::r--
>>>
>>>> Does this work from a prompt?
>>>>
>>>> tail /var/log/<file>
>>>
>>> tail /var/log/dmesg
>>> -bash: /var/log/dmesg: Permission denied
>>>
>>> Anne
>>
>> Weird, you shouldn't even need to set a facl for /var/log/dmesg as other
>> already has read access via normal unix permissions.
>>
>> other::r--
>>
>>
>> What are the rights on /var and /var/log ?
>>
>> getfacl /var
>> getfacl /var/log
>>
> [root at borg2 ~]# getfacl /var
> getfacl: Removing leading '/' from absolute path names
> # file: var
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
>
> [root at borg2 ~]# getfacl /var/log
> getfacl: Removing leading '/' from absolute path names
> # file: var/log
> # owner: root
> # group: root
> user::rwx
> user:anne:r--
> group::r-x
> mask::r-x
> other::r-x
>
> Anne

Weird. Directories have rx for "other" and the the file has r for 
"other". Anybody should be able to read /var/log/dmesg.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: boutilpj.vcf
Type: text/x-vcard
Size: 297 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/kde/attachments/20111031/81585e16/attachment.vcf

More information about the kde mailing list