Providing further privileges with sudoers

[afernandezody]

Hello,
My system has an app installed at /opt with root as the owner. I'm trying to accomplish 2 things (edit and compile) but I'll focus on the first one, which is simpler to explain. Because everything is owned by root, I can actually edit using sudo but opening any of these as the user (centos) states that the file is readonly (all of this is the expected behavior). To be able to edit the file as the user, I'm trying to modify sudoers but here it's where I'm unsure how to proceed. The sudoers file has about 127 lines but the ones I'm looking at are:

Code: Select all

...
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
...
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
centos  ALL=(ALL)       NOPASSWD: ALL

The latter lines allow the user to use sudo with most commands. However, I'd like to edit files owned by root without having to include sudo to call vi or any other editor.
Thanks.

[MartinR]

That last line opens things up way too far. You say

I'd like to edit files owned by root without having to include sudo to call vi or any other editor

so why modify /etc/sudoers? Incidentally it's much cleaner to leave that file alone and drop a small script into /etc/sudoers.d, I'll give an example later.

First question: why is everything owned by root? Could you not create a system user and group for the app, and add yourself to the group if you need to edit as yourself. If that's not feasible, consider using ACLs on the files and the containing directory.

If you are forced to use sudo then here is an example of the file used by my backup utility:

Code: Select all

# Sudoers drop-in extension to permit backups to be run unprivileged.
#
# Version 0.9
#
# NOTE: This files must be installed in /etc/sudoers.d/ with root ownership
#       and mode 0440.  Use
#		visudo -c
#	to check that all is well.
#
#	Define the commands that need enhanced privilege:
#
Cmnd_Alias BACKUPS = /sbin/xfsdump, /sbin/dump
#
#	Define the users who can run backups:
#
User_Alias BACKUP_USERS = backups
#
#	Set the permitted action:
#
BACKUP_USERS ALL=NOPASSWD: BACKUPS
#
#	BACKUP_USERS on any machine are permitted to =
#	without specifying a password run BACKUPS as root.

Obviously you'll want to use editors instead of dumps, but you need to be very careful to protect that account once privileges are enabled. Some editors will allow you to escape to the command line, so enabling them like this can effectively give root access to all files - are you sure you want to do this?

[TrevorH]

I can actually edit using sudo but opening any of these as the user (centos) states that the file is readonly

The answer to that is probably 'sudoedit'

I'd like to edit files owned by root without having to include sudo to call vi or any other editor.

They are probably owned by root to stop that exact thing happening.

[afernandezody]

Hi MartinR,
Thanks. I understand your concern for safety but it's a cloud-based system so even if something goes really wrong, there's no damage.
I tried your solution but it's still not working. The sudoers.d subdirectory has now 2 files:

Code: Select all

-r--r-----. 1 root root 1009 Nov  5 17:46 90-cloud-init-users
-r--r-----  1 root root  100 Nov  5 17:52 addendum

The first is original and has the following lines:

Code: Select all

# User rules for centos
centos ALL=(ALL) NOPASSWD:ALL

repeated about 20 times (not sure why). The file that I created (addendum) is 3 lines long (w/o any comment)

Code: Select all

Cmnd_Alias EDITOR = /usr/bin/vim
User_Alias EDITOR_USERS = centos
EDITOR_USERS ALL=NOPASSWD: EDITOR

I tried rebooting but any file with root ownership still opens as readonly.

[tunk]

I guess it depends on the app - would it be possible to
change the ownership of /opt/"myapp" to the user? And
change it back when you're finished.

Edit: Or copy everything to the user's home directory,
and copy it back when finished.

[afernandezody]

Hi @tunk,
That's actually what I was trying to do in the last few minutes. It might be a more workable solution even if that wasn't my first thought. Thanks.

[TrevorH]

If you amend /etc/sudoers then you must use sudo to pick up those privileges. They don't affect what you can do without using sudo.

[MartinR]

Obviously, as Trevor said. @afernandezody - did you run the command # visudo -c to check all was well?

[afernandezody]

Hi.
Yes, I did use visudo

Code: Select all

/etc/sudoers: parsed OK
/etc/sudoers.d/90-cloud-init-users: parsed OK
/etc/sudoers.d/addendum: parsed OK

It's still not working but I would like to learn why. In the meantime, I'm probably following the alternate route changing ownership to the user, doing what I have to do, and changing the ownership back to root. Thanks.

[TrevorH]

I think you just need to use sudoedit.