Just wanted to solicit some suggestions here...
I want to allow a user to be able to ssh to a server and view log files, where those log files will often have permissions like root:root 0640. This person should not generally have root privileges on the server.
I do not want to have to mess with the POSIX permissions of the log files.
Off the top of my head I can think of two ways to do this:
- Apply an inheritable ACL to the various log directories that allows some group that person is a member of to read everything.
- Configure that user's sudo permissions to be able to run, say, 'less' and 'cat' as root, but nothing else (may be tricky to figure out log file paths this way though, if the user has no access to the parent directories).
Any better suggestions?
And before someone says to just use a syslog server, we do use something like that but do not send out all logs, particularly extremely verbose ones. The reason for giving this person access is partly to get to those other logs.
[link][16 comments]