Solved

Execute permissions and sudoers file in Linux

Posted on 2014-02-26
5
598 Views
Last Modified: 2014-02-27
I want to make sure I am not wrong:

in Linux you can give a group Execute permission to a folder or file, you can also give a group  permissions in the Sudoer file to run certain commands.

to my understanding  you can give Execute permission to groupX to a folder /usr/bin they can run tcpdump ,
Or you can give groupX Execute permission directly to tcpdump file and they can run the file.

The other way is :
under Sudoer.d directory, you can also create a file for instance(accountants), then type the following commands:

%GroupX   ALL= /user/sbin/tcpdump

another thing that I want to know whether it is the same when we grant permissions inside the Sudoer file or it is better to create a file under Sudoer.d directory, then specify permissions inside the file.?

Thanks
0
Comment
Question by:jskfan
  • 2
  • 2
5 Comments
 
LVL 27

Assisted Solution

by:serialband
serialband earned 80 total points
ID: 39891010
It depends on what you want them to be able to do.  Those 2 things are different.

Giving them execute permissions, allows them to run the program as themselves.

Giving them sudo permissions, allows them to run that program as if they were root.
0
 
LVL 5

Expert Comment

by:Dave Gould
ID: 39891268
Giving execute to a folder does not give execute rights to the files within.
Execute rights to a folder only give you the right to change directory (cd) to that folder. You still need the rights on the individual files.

As for sudo, I always modify the sudoers file (using visudo) directly.
sudo is more flexible for giving groups of users rights to certain commands and it is easier to trace who does what. This might be important to you. The only real diadvantage for the user is that he has to type sudo before the command.
0
 

Author Comment

by:jskfan
ID: 39892127
1-  So what is the difference between giving GroupX Execute permissions to tcpdump file
/usr/bin/tcpdump
and just do that through sudoer file. I guess the syntax is this:
%GroupX   ALL= /user/sbin/tcpdump

2- And what is the difference between adding the command to sudoer file directly:
%GroupX   ALL= /user/sbin/tcpdump
and creating a file(named accountant) under sudoer.d directory, and inserting the command inside the new file (accountant)?
0
 
LVL 5

Accepted Solution

by:
Dave Gould earned 420 total points
ID: 39892288
1. When you run sudo, you are running the process as the process owner and not yourself.
This means that if the process needs access to other files that you don't normally have access to, it will still run because you are invoking it as root.
Imagine root owns your_script and this script calls another_script (also owned by root).
If you just give group execution rights to GroupX to yourscript, it will not be able to call another_script as GroupX doesn't have execution rights on the latter.
However sudo yourscript and it will run as the root user so when it calls another_script, there will not be a problem.
In your example of tcpdump, this is not likely to be a problem.

2. You can put everything into the sudoers file but some people prefer to have a sudoers file tha covers all the general rules and different config files that can be included as extras. ie include different particularities for some servers but not for others. In this case, you add the line "includedir /etc/sudoers.d" in your sudoers file and any files found in /etc/sudoers.d will also be read (files ending in ~ or containing a . are ignored).
There is no hard and fast rule as to which method you prefer. It is a personal preference.
0
 

Author Closing Comment

by:jskfan
ID: 39893642
Thank you
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now