0

My monitoring system runs with lowered permissions but I want it to run a command that needs access a particular file in a folder that the monitoring system is not allowed to enter.

The usual approach would be for me to add that command–user combination to my sudoers file and change the configuration such that the command is executed with sudo. However, I feel that this will give the command in fact many more rights than are needed (I don’t need any write permissions at all).

Is there a sudo-like program that can execute a command as the same user but with the only difference that a particular (pre-defined) file or folder is then accessible? (The file/folder could even have a different name.) Could there be a way to accomplish this with mount namespaces?

Debilski
  • 443
  • 5
  • 7
  • Does this answer your question? https://unix.stackexchange.com/questions/215412/allow-certain-guests-to-execute-certain-commands – Quora Feans Jan 09 '20 at 12:43
  • Do you want to read the file or to execute it? – Romeo Ninov Jan 09 '20 at 12:51
  • @QuoraFeans Unfortunately not. The thing is that I guess I don’t trust my command 100% so I don’t want to give it full sudo permissions – Debilski Jan 09 '20 at 12:58
  • @RomeoNinov I just want to read the file – Debilski Jan 09 '20 at 12:58
  • 1
    @Debilski, in such case use ACL. But if external process change it this may change also ACL. – Romeo Ninov Jan 09 '20 at 13:01
  • Couldn't you just make and update a copy of the file somewhere else? – Quora Feans Jan 09 '20 at 14:10
  • @QuoraFeans the file comes from a different process that I want to monitor and changes regularly (this makes ACLs also trickier to use in the general case as the whole path could be rewritten) – Debilski Jan 09 '20 at 15:19
  • The whole starts to look like a XY problem to me. No offense. – Quora Feans Jan 09 '20 at 16:23
  • I don’t know. To me it seems like a legitimate scenario to give a process only access to those files that it needs and not full root permission. I’d use a container for this but this seems a bit overblown as I only need one file and not a complete environment. — Well, I guess I will try it with ACL though. :) – Debilski Jan 10 '20 at 12:11
  • 1
    If the files are in a specific directory, you could set default ACLs on that directory so every file in it is readable by your user. You could also make it group-readable, and ensure it is owned by a group that your process is in. – Stewart Jun 30 '21 at 16:23
  • Can you create a name for the file (i.e. a hard link) in a directory that is accessible to the monitor? If the file itself is readable, and it's only the directory permissions that are limiting access, that could work. – Toby Speight Jun 30 '21 at 16:52

1 Answers1

0

As a partial solution to this problem that works for small files in a read-only setting, this can partially (read-only) be accomplished by using the LoadCredential directive in a system’s .service file.

Debilski
  • 443
  • 5
  • 7