How to give a very stripped down login for viewing logs

permissionsremote

I have various log files in folders on an RHEL 5 system:

/var/log/syslog-ng/A/
/var/log/syslog-ng/B/
/var/log/syslog-ng/C/

I would like to be able to give certain users the rights to view/tail (but not modify/delete) all files inside the folders B and C (and subdirectories) but not to view the contents of folder A nor the /var/log/syslog-ng folder itself.

What I can imagine is a cut down shell with the only commands being tail, cd, grep and vi, with cd only able to navigate into the B and C folders.

A single user/password shared between the people who would be using this information is fine.

How would you recommend achieving this? Is it even possible?

(we currently achieve this with a bash script made available through Apache HTTPD, with the Apache configuration requiring a password if the path being navigated passes above the B or C folders. The script is clunky and hacky to say the least, and doesn't provide any form of live updating apart from a meta-refresh on the generated HTML page – making use of ssh and tail would be a much better user experience, and be less prone to errors)

Best Answer

The bash shell enters a restricted mode (when called rbash) that prevents users -among other things- from altering PATH or changing current directory with cd; by coupling this with the access control restriction provided by UNIX groups, you can restrict users to view only files in a certain directory.

I would implement it this way:

  • Create groups A, B, etc. - each group can read (but not write) the the corresponding directory and the log files in it:

    $ ls -lF /var/log/syslog-ng
drwxr-x--- root A  ...  A/
drwxr-x--- root B  ...  B/
[...]

$ ls -l /var/log/syslog-ng/A/
-rwxr----- root A  ...  logfile.log
-rwxr----- root A  ...  logfile.log.1
[...]

  • Modify /etc/group and add users to these groups according to the logs you want them to read:

    $ tail /etc/group
[...]
A: foo
B: bar

  • Create a directory to host the commands you want to give access to the log viewers; let's assume it's /usr/local/restricted/bin. Copy or hard-link the relevant commands to this directory.

  • Modify /etc/profile so that you set up the correct PATH for the restricted users: the restricted PATH should only include /usr/local/restricted/bin (or any other directory that hosts "safe" restricted commands).

  • Modify /etc/passwd and make sure the users are given the login shell rbash and the relevant /var/log/syslog-ng/XXX directory as home. They can now log in but are jailed to the home directory and can only use commands on the restricted PATH.

Note: It's easy to circumvent the restricted mode shell if you provide access to commands that allow users to exec an arbitrary command, e.g., PERL or almost any editor.

Related Question