andy at hazlorealidad.com
Tue Aug 4 07:53:42 EDT 2009
On Tue, 2009-08-04 at 08:22 +0200, Helmut Hullen wrote:
> Hallo, alexandre,
> Du meintest am 04.08.09:
> >> I want to let the user view log files, I know I could do it with
> >> standard file permissions but I wanted to log administrative
> >> activity using sudo.
> > You can let users to use /bin/cat to view logfiles. So, they can use:
> > sudo cat /var/log/logfile | less
> What about
> sudo less /var/log/logfile
> "less" doesn't need "cat".
Thanks Matthew, alexandre and helmut
I just spotted that as well as compiling less in secure mode you can set
an environment variable to less
(Oops I did read the man page for less, honest, but just not all of it,
and I was looking for a command line option not an environment variable.
Thats my excuse and Im sticking to it!)
I also spotted that you can do (at least in the bash shell)
typeset -r LESSSECURE
alexandre's cat ... | less solution is a good workaround, so that the
less process is running as the user and not root, but Im not sure how
much less can buffer up in the case of a large logfile and needing to
scroll backwards towards the start.
At the moment I have
the_user ALL=NOEXEC: /usr/bin/less /var/log/messages
The final question is:
How can I enforce that the LESSSECURE environment variable is set to 1
in the sudoers file for the less command
and that the user cant override this setting using sudo -E.
Thanks in advance
More information about the sudo-users