Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 641
  • Last Modified:

Execute permissions and sudoers file in Linux

I want to make sure I am not wrong:

in Linux you can give a group Execute permission to a folder or file, you can also give a group  permissions in the Sudoer file to run certain commands.

to my understanding  you can give Execute permission to groupX to a folder /usr/bin they can run tcpdump ,
Or you can give groupX Execute permission directly to tcpdump file and they can run the file.

The other way is :
under Sudoer.d directory, you can also create a file for instance(accountants), then type the following commands:

%GroupX   ALL= /user/sbin/tcpdump

another thing that I want to know whether it is the same when we grant permissions inside the Sudoer file or it is better to create a file under Sudoer.d directory, then specify permissions inside the file.?

Thanks
0
jskfan
Asked:
jskfan
  • 2
  • 2
2 Solutions
 
serialbandCommented:
It depends on what you want them to be able to do.  Those 2 things are different.

Giving them execute permissions, allows them to run the program as themselves.

Giving them sudo permissions, allows them to run that program as if they were root.
0
 
Dave GouldOnsite SupportCommented:
Giving execute to a folder does not give execute rights to the files within.
Execute rights to a folder only give you the right to change directory (cd) to that folder. You still need the rights on the individual files.

As for sudo, I always modify the sudoers file (using visudo) directly.
sudo is more flexible for giving groups of users rights to certain commands and it is easier to trace who does what. This might be important to you. The only real diadvantage for the user is that he has to type sudo before the command.
0
 
jskfanAuthor Commented:
1-  So what is the difference between giving GroupX Execute permissions to tcpdump file
/usr/bin/tcpdump
and just do that through sudoer file. I guess the syntax is this:
%GroupX   ALL= /user/sbin/tcpdump

2- And what is the difference between adding the command to sudoer file directly:
%GroupX   ALL= /user/sbin/tcpdump
and creating a file(named accountant) under sudoer.d directory, and inserting the command inside the new file (accountant)?
0
 
Dave GouldOnsite SupportCommented:
1. When you run sudo, you are running the process as the process owner and not yourself.
This means that if the process needs access to other files that you don't normally have access to, it will still run because you are invoking it as root.
Imagine root owns your_script and this script calls another_script (also owned by root).
If you just give group execution rights to GroupX to yourscript, it will not be able to call another_script as GroupX doesn't have execution rights on the latter.
However sudo yourscript and it will run as the root user so when it calls another_script, there will not be a problem.
In your example of tcpdump, this is not likely to be a problem.

2. You can put everything into the sudoers file but some people prefer to have a sudoers file tha covers all the general rules and different config files that can be included as extras. ie include different particularities for some servers but not for others. In this case, you add the line "includedir /etc/sudoers.d" in your sudoers file and any files found in /etc/sudoers.d will also be read (files ending in ~ or containing a . are ignored).
There is no hard and fast rule as to which method you prefer. It is a personal preference.
0
 
jskfanAuthor Commented:
Thank you
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now