sudo or acl or setuid/setgid?
Posted
by
Xavier Maillard
on Server Fault
See other posts from Server Fault
or by Xavier Maillard
Published on 2010-06-01T20:09:03Z
Indexed on
2012/12/05
11:09 UTC
Read the original article
Hit count: 211
for a reason I do not really understand, everyone wants sudo for all and everything. At work we even have as many entries as there are way to read a logfile (head/tail/cat/more, ...).
I think, sudo is defeating here.
I'd rather use a mix of setgid/setuid directories and add ACL here and there but I really need to know what are the best practices before starting up.
Our servers have %admin, %production, %dba, %users -i.e many groups and many users. Each service (mysql, apache, ...) has its own way to install privileges but members of the %production group must be able to consult configuration file or even log files. There is still the solution to add them into the right groups (mysql...) and set the good permission. But I do not want to usermod all users, I do not want to modify standards permissions since it could change after each upgrade.
On the other hand, setting acls and/or mixing setuid/setgid on directories is something I could easily do without "defacing" the standard distribution.
What do you think about this ?
Taking the mysql example, that would look like this:
setfacl d:g:production:rx,d:other::---,g:production:rx,other::--- /var/log/mysql /etc/mysql
Do you think this is good practise or should I definetely usermod -G mysql and play with standard permissions system ?
Thank you
© Server Fault or respective owner