I would also agree that this is probably better suited for the sudo-users list, however I will add that in general you should allow the sudoedit program instead of allowing direct sudo use to vi, nano, emacs, etc:
user@host:~$ ldapsearch -Y GSSAPI -QLLL -b "cn=pgsql-mgr-default,ou=SUDOers,dc=harmonywave,dc=cloud" | grep sudoedit sudoCommand: sudoedit /etc/apt/* sudoCommand: sudoedit /etc/docker/* sudoCommand: sudoedit /etc/logrotate.d/postgresql-common sudoCommand: sudoedit /etc/postgresql-common/* sudoCommand: sudoedit /etc/postgresql-common/pg_upgradecluster.d/* sudoCommand: sudoedit /etc/postgresql/*/main/* sudoCommand: sudoedit /etc/postgresql/*/main/conf.d/* This solves/avoids the root escalation issues with editors. On 10/7/21 12:54 PM, Michael Ströder wrote: > On 10/7/21 13:51, Dario García Díaz-Miguel wrote: >> We have a LDAP group that should be able to vi, tail and less all the files >> contained inside /var/log/ > > Bad idea because less and vi let the user escape to shell. > >> We are thinking about using wildcards but it seems that the wildcards that >> works for suders file does not works when the backend is the LDAP. > > IMHO this question should be better asked on sudo-users list: > > https://www.sudo.ws/mailman/listinfo/sudo-users > > On sudo-users there are people who can explain in more detail why you should > not use sudo like that. > > Especially granting read access to log files should be done by appropriate > group ownership and file permissions/ACLs. > > Some introduction to the security issues: > > https://www.sweharris.org/post/2018-08-26-minimal-sudo/ > > Ciao, Michael. -- Thanks, Joshua Schaeffer
