<div>
Are you sure that the files aren't already globally readable?&nbsp;
</div>


<div>
Most of the files in /etc can be read by a normal user. If you find any file that normal user can't access, you can change the file permission as required.<br><br><br>
</div>


<div>
how can I prevent sudoers user by sudo su - and entering their password to be root and leave other users with sudo su -
</div>


<div>
Allowing `sudo ls` &nbsp;and `sudo cat` &nbsp;will give them 99% of what they need.<br>`sudo tail -f` &nbsp;is also useful.<br>`sudo find` &nbsp;is risky, as the -exec options would allow them to modify files. Though it's possible to write a wrapper script that disallows those options.<br>`sudo view` &nbsp;is no good, as `view` allows you to force-write files or open a subshell as root<br><br>With those basic commands &amp; pipes or redirection, more complex yet safe commands can be constructed:<br>`sudo cat file |grep {pattern}` &nbsp;executes cat as root but grep as the unprivileged user.<br>(this would normally be a Useless Use Of Cat, but has a purpose here)<br>`sudo cat file &gt; /tmp/file_copy` &nbsp;makes a copy they can then edit as the unprivileged user<br>(I'm not sure if they can "escape" the "&gt;" to allow overwriting read-only files!)
</div>


<div>
Hi david <br><br>what about 1-if I like user not to use sudo su - and will able to read all configuration for view only <br>2- another suggestion to let user read all configuration but when do sudo su - it will be asked for root password <br>waiting for your kind experienced advice&nbsp;
</div>


<div>
1-if I like user not to use sudo su - and will able to read all configuration for view only...<br />
<br />
This is what the <b>chmod ugo+r /path</b> command solves.<br />
<br />
My rule is anyone can read anything, except sensitive data.<br />
<br />
This minimizes the requirement for adding uses to the sudo group.<br />
<br />
2- another suggestion to let user read all configuration but when do sudo su - it will be asked for root password<br />
<br />
This is how su + sudo work, they prompt for a password.<br />
<br />
This is essential security.<br />
<br />
If you disable this, anytime any sudo group user is hacked, the hacker has instant root access to the entire machine/container/VM.<br />
<br />
Do not under any circumstance try to defeat password prompting.<br />
<br />
Can you disable password prompting? Yes.<br />
<br />
Should you? Only if you'd like to be have no clue what happened each time your machine is hacked.
</div>


<div>
<div class="content wysiwyg-content fr-view">
Hello experts<br>I have user that have root access by switching sudo su - to root as I want to withdraw user access as sudo and add it only permission as read only for config files or &nbsp;commands as ls-la<br>df-dk ,...etc without letting user being able to make any changes to linux &nbsp;machine so tobe read only group for all commands and all config files.<br><br>waiting for your kind advice<br><br><br>
</div>
</div>



Hello experts
I have user that have root access by switching sudo su - to root as I want to withdraw user access as sudo and add it only permission as read only for config files or  commands as ls-la
df-dk ,...etc without letting user being able to make any changes to linux  machine so tobe read only group for all commands and all config files.
waiting for your kind advice

allow user for readonly config or readonly  commands  in linux and prevent editing or changing any files config or linux settings

Linux is a UNIX-like open source operating system with hundreds of distinct distributions, including: Fedora, openSUSE, Ubuntu, Debian, Slackware, Gentoo, CentOS, and Arch Linux. Linux is generally associated with web and database servers, but has become popular in many niche industries and applications.

Linux

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.