I would also agree that this is probably better suited for the sudo-users list, however I will add that in general you should allow the sudoedit program instead of allowing direct sudo use to vi, nano, emacs, etc:
user@host:~$ ldapsearch -Y GSSAPI -QLLL -b "cn=pgsql-mgr-default,ou=SUDOers,dc=harmonywave,dc=cloud" | grep sudoedit sudoCommand: sudoedit /etc/apt/* sudoCommand: sudoedit /etc/docker/* sudoCommand: sudoedit /etc/logrotate.d/postgresql-common sudoCommand: sudoedit /etc/postgresql-common/* sudoCommand: sudoedit /etc/postgresql-common/pg_upgradecluster.d/* sudoCommand: sudoedit /etc/postgresql/*/main/* sudoCommand: sudoedit /etc/postgresql/*/main/conf.d/*
This solves/avoids the root escalation issues with editors.
On 10/7/21 12:54 PM, Michael Ströder wrote:
On 10/7/21 13:51, Dario García Díaz-Miguel wrote:
We have a LDAP group that should be able to vi, tail and less all the files contained inside /var/log/
Bad idea because less and vi let the user escape to shell.
We are thinking about using wildcards but it seems that the wildcards that works for suders file does not works when the backend is the LDAP.
IMHO this question should be better asked on sudo-users list:
https://www.sudo.ws/mailman/listinfo/sudo-users
On sudo-users there are people who can explain in more detail why you should not use sudo like that.
Especially granting read access to log files should be done by appropriate group ownership and file permissions/ACLs.
Some introduction to the security issues:
https://www.sweharris.org/post/2018-08-26-minimal-sudo/
Ciao, Michael.