Solved

Execute permissions and sudoers file in Linux

Posted on 2014-02-26
5
603 Views
Last Modified: 2014-02-27
I want to make sure I am not wrong:

in Linux you can give a group Execute permission to a folder or file, you can also give a group  permissions in the Sudoer file to run certain commands.

to my understanding  you can give Execute permission to groupX to a folder /usr/bin they can run tcpdump ,
Or you can give groupX Execute permission directly to tcpdump file and they can run the file.

The other way is :
under Sudoer.d directory, you can also create a file for instance(accountants), then type the following commands:

%GroupX   ALL= /user/sbin/tcpdump

another thing that I want to know whether it is the same when we grant permissions inside the Sudoer file or it is better to create a file under Sudoer.d directory, then specify permissions inside the file.?

Thanks
0
Comment
Question by:jskfan
  • 2
  • 2
5 Comments
 
LVL 28

Assisted Solution

by:serialband
serialband earned 80 total points
ID: 39891010
It depends on what you want them to be able to do.  Those 2 things are different.

Giving them execute permissions, allows them to run the program as themselves.

Giving them sudo permissions, allows them to run that program as if they were root.
0
 
LVL 5

Expert Comment

by:Dave Gould
ID: 39891268
Giving execute to a folder does not give execute rights to the files within.
Execute rights to a folder only give you the right to change directory (cd) to that folder. You still need the rights on the individual files.

As for sudo, I always modify the sudoers file (using visudo) directly.
sudo is more flexible for giving groups of users rights to certain commands and it is easier to trace who does what. This might be important to you. The only real diadvantage for the user is that he has to type sudo before the command.
0
 

Author Comment

by:jskfan
ID: 39892127
1-  So what is the difference between giving GroupX Execute permissions to tcpdump file
/usr/bin/tcpdump
and just do that through sudoer file. I guess the syntax is this:
%GroupX   ALL= /user/sbin/tcpdump

2- And what is the difference between adding the command to sudoer file directly:
%GroupX   ALL= /user/sbin/tcpdump
and creating a file(named accountant) under sudoer.d directory, and inserting the command inside the new file (accountant)?
0
 
LVL 5

Accepted Solution

by:
Dave Gould earned 420 total points
ID: 39892288
1. When you run sudo, you are running the process as the process owner and not yourself.
This means that if the process needs access to other files that you don't normally have access to, it will still run because you are invoking it as root.
Imagine root owns your_script and this script calls another_script (also owned by root).
If you just give group execution rights to GroupX to yourscript, it will not be able to call another_script as GroupX doesn't have execution rights on the latter.
However sudo yourscript and it will run as the root user so when it calls another_script, there will not be a problem.
In your example of tcpdump, this is not likely to be a problem.

2. You can put everything into the sudoers file but some people prefer to have a sudoers file tha covers all the general rules and different config files that can be included as extras. ie include different particularities for some servers but not for others. In this case, you add the line "includedir /etc/sudoers.d" in your sudoers file and any files found in /etc/sudoers.d will also be read (files ending in ~ or containing a . are ignored).
There is no hard and fast rule as to which method you prefer. It is a personal preference.
0
 

Author Closing Comment

by:jskfan
ID: 39893642
Thank you
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Fine Tune your automatic Updates for Ubuntu / Debian
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question