[sudo-users] less

Andy Bailey andy at hazlorealidad.com
Tue Aug 4 07:53:42 EDT 2009

On Tue, 2009-08-04 at 08:22 +0200, Helmut Hullen wrote:
> Hallo, alexandre,
> Du meintest am 04.08.09:
> >> I want to let the user view log files, I know I could do it with
> >> standard file permissions but I wanted to log administrative
> >> activity using sudo.
> > You can let users to use /bin/cat to view logfiles. So, they can use:
> > sudo cat /var/log/logfile | less

> What about
>         sudo less /var/log/logfile
> "less" doesn't need "cat".

Thanks Matthew, alexandre and helmut

I just spotted that as well as compiling less in secure mode you can set
an environment variable to less

(Oops I did read the man page for less, honest, but just not all of it,
and I was looking for a command line option not an environment variable.
Thats my excuse and Im sticking to it!)

I also spotted that you can do (at least in the bash shell)
typeset -r LESSSECURE

alexandre's  cat ... | less solution is a good workaround, so that the
less process is running as the user and not root, but Im not sure how
much less can buffer up in the case of a large logfile and needing to
scroll backwards towards the start.

At the moment I have

the_user    ALL=NOEXEC: /usr/bin/less /var/log/messages

The final question is:

How can I enforce that the LESSSECURE environment variable is set to 1
in the sudoers file for the less command

and that the user cant override this setting using sudo -E.

Thanks in advance

Andy Bailey

More information about the sudo-users mailing list