5

I'm looking for the best way to give a group permission to view any files in /var/log, but only using cat or tail. My best guess right now is that I need to use ACL's:

 setfacl -mR default:g:group:4 /var/log

Not sure how to limit them only to using cat or tail. Thanks for any suggestions.

user1655887
  • 65
  • 1
  • 1
  • 3
  • take look at this thread.. http://unix.stackexchange.com/questions/90998/block-particular-command-in-linux-for-specific-user – Rahul Patil Oct 27 '13 at 23:00
  • Thanks. I will take a look. I am also reading up on visudo and possibly going to use command alias. It looks like it will probably satisfy my needs. – user1655887 Oct 28 '13 at 00:33

1 Answers1

2

Rather than muck with the permissions of /var/log I think I'd go the direction of giving these users sudo rights for a limited set of commands.

Setting up sudo access

You can create a command alias in the /etc/sudoers files like so:

Cmnd_Alias RDONLY_VARLOG = tail /var/log/messages, tail /var/log/maillog, ...

Then grant users access to this command alias, again in the /etc/sudoers file.

# single user
user1    ALL = RDONLY_VARLOG

# group of users (group1)
%group1  ALL = RDONLY_VARLOG
slm
  • 363,520
  • 117
  • 767
  • 871