7

How can I disable /usr/bin/mysql command in sudoers file? I've tried to use it this way:

%tailonly ALL=!/usr/bin/mysql

But when I access user 'tailonly' of group 'tailonly', this command is still enabled.

In short, I only want that 'tailonly' user access tail -f /usr/app/*.log.

This is possible?

Edit:

With this config, the user 'tailonly' still can access mysql terminal with 'mysql' command:

$: sudo su

$: visudo

Cmnd_Alias MYSQL = /usr/bin/mysql
Cmnd_Alias TAIL=/usr/bin/tail -f /jacad/jacad3/logs/*.log

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
%swa    ALL=/etc/init.d/jacad3 stop
%swa    ALL=/etc/init.d/jacad3 start
%swa    ALL=/etc/init.d/jacad3 restart
%swa    ALL=sudoedit /jacad/jacad3/bin/jacad_start.sh

%tailonly ALL=ALL,!MYSQL
Paul T.
  • 189
  • 1
  • 9
Carlos Spohr
  • 193
  • 3
  • 10

1 Answers1

4

I think sudo might not be the right tool for the job.

If you want a certain user to access log files you can use normal unix file permissions and/or extended attributes. To give a user permission to tail a file they need the read permission.

To do this using extended attributes try:

$ setfacl -m u:tailonly:r /usr/app/file

If you want a user to have read all the files in a directory, which is what I think you want to achieve you need to set the default ACL for that user, for that directory. For example:

$ setfacl -d -m user:tailonly:r /usr/app

This will set the permissions of new file to be readable by the tailonly user.

There are some good guides and a similar questios which might help:

https://serverfault.com/questions/2736/how-does-one-get-setfacl-to-set-acl-permissions-recursively-on-ubuntu-9-04-serve

http://www.gnutoolbox.com/acls-setfacl/

Community
  • 1
Peter Jenkins
  • 450