I have various log files in folders on an RHEL 5 system:
/var/log/syslog-ng/A/
/var/log/syslog-ng/B/
/var/log/syslog-ng/C/
I would like to be able to give certain users the rights to view/tail (but not modify/delete) all files inside the folders B
and C
(and subdirectories) but not to view the contents of folder A
nor the /var/log/syslog-ng
folder itself.
What I can imagine is a cut down shell with the only commands being tail
, cd
, grep
and vi
, with cd
only able to navigate into the B
and C
folders.
A single user/password shared between the people who would be using this information is fine.
How would you recommend achieving this? Is it even possible?
(we currently achieve this with a bash script made available through Apache HTTPD, with the Apache configuration requiring a password if the path being navigated passes above the B or C folders. The script is clunky and hacky to say the least, and doesn't provide any form of live updating apart from a meta-refresh on the generated HTML page – making use of ssh and tail would be a much better user experience, and be less prone to errors)
Best Answer
The bash shell enters a restricted mode (when called
rbash
) that prevents users -among other things- from alteringPATH
or changing current directory withcd
; by coupling this with the access control restriction provided by UNIX groups, you can restrict users to view only files in a certain directory.I would implement it this way:
Create groups
A
,B
, etc. - each group can read (but not write) the the corresponding directory and the log files in it:Modify
/etc/group
and add users to these groups according to the logs you want them to read:Create a directory to host the commands you want to give access to the log viewers; let's assume it's
/usr/local/restricted/bin
. Copy or hard-link the relevant commands to this directory.Modify
/etc/profile
so that you set up the correctPATH
for the restricted users: the restricted PATH should only include/usr/local/restricted/bin
(or any other directory that hosts "safe" restricted commands).Modify
/etc/passwd
and make sure the users are given the login shellrbash
and the relevant/var/log/syslog-ng/XXX
directory as home. They can now log in but are jailed to the home directory and can only use commands on the restricted PATH.Note: It's easy to circumvent the restricted mode shell if you provide access to commands that allow users to exec an arbitrary command, e.g., PERL or almost any editor.