Solved

Execute permissions and sudoers file in Linux

Posted on 2014-02-26
5
607 Views
Last Modified: 2014-02-27
I want to make sure I am not wrong:

in Linux you can give a group Execute permission to a folder or file, you can also give a group  permissions in the Sudoer file to run certain commands.

to my understanding  you can give Execute permission to groupX to a folder /usr/bin they can run tcpdump ,
Or you can give groupX Execute permission directly to tcpdump file and they can run the file.

The other way is :
under Sudoer.d directory, you can also create a file for instance(accountants), then type the following commands:

%GroupX   ALL= /user/sbin/tcpdump

another thing that I want to know whether it is the same when we grant permissions inside the Sudoer file or it is better to create a file under Sudoer.d directory, then specify permissions inside the file.?

Thanks
0
Comment
Question by:jskfan
  • 2
  • 2
5 Comments
 
LVL 29

Assisted Solution

by:serialband
serialband earned 80 total points
ID: 39891010
It depends on what you want them to be able to do.  Those 2 things are different.

Giving them execute permissions, allows them to run the program as themselves.

Giving them sudo permissions, allows them to run that program as if they were root.
0
 
LVL 5

Expert Comment

by:Dave Gould
ID: 39891268
Giving execute to a folder does not give execute rights to the files within.
Execute rights to a folder only give you the right to change directory (cd) to that folder. You still need the rights on the individual files.

As for sudo, I always modify the sudoers file (using visudo) directly.
sudo is more flexible for giving groups of users rights to certain commands and it is easier to trace who does what. This might be important to you. The only real diadvantage for the user is that he has to type sudo before the command.
0
 

Author Comment

by:jskfan
ID: 39892127
1-  So what is the difference between giving GroupX Execute permissions to tcpdump file
/usr/bin/tcpdump
and just do that through sudoer file. I guess the syntax is this:
%GroupX   ALL= /user/sbin/tcpdump

2- And what is the difference between adding the command to sudoer file directly:
%GroupX   ALL= /user/sbin/tcpdump
and creating a file(named accountant) under sudoer.d directory, and inserting the command inside the new file (accountant)?
0
 
LVL 5

Accepted Solution

by:
Dave Gould earned 420 total points
ID: 39892288
1. When you run sudo, you are running the process as the process owner and not yourself.
This means that if the process needs access to other files that you don't normally have access to, it will still run because you are invoking it as root.
Imagine root owns your_script and this script calls another_script (also owned by root).
If you just give group execution rights to GroupX to yourscript, it will not be able to call another_script as GroupX doesn't have execution rights on the latter.
However sudo yourscript and it will run as the root user so when it calls another_script, there will not be a problem.
In your example of tcpdump, this is not likely to be a problem.

2. You can put everything into the sudoers file but some people prefer to have a sudoers file tha covers all the general rules and different config files that can be included as extras. ie include different particularities for some servers but not for others. In this case, you add the line "includedir /etc/sudoers.d" in your sudoers file and any files found in /etc/sudoers.d will also be read (files ending in ~ or containing a . are ignored).
There is no hard and fast rule as to which method you prefer. It is a personal preference.
0
 

Author Closing Comment

by:jskfan
ID: 39893642
Thank you
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question