Monday, September 3, 2012

Sudo/setfacl/getfacl –Info examples

How to assign rights to start/stop/reload  Application services like httpd,mysql/sendmail via sudo and using assigning rights via getfacl/setfacl

1.    Log on to server XXX server
2.    Assign  rights to normal Account user in linux: baskar + JJ:
* Rights for Fetchmail & Procmail to change/stop/start the application/
*  Rights to stop/start httpd  and  mysqld

  1. Edit sudo file using visudo and append the line  below end of the file and save the file and close it.
baskar   ALL=NOPASSWD:/etc/init.d/fetchmail stop,/etc/init.d/fetchmail start, /etc/init.d/sendmail stop,/etc/init.d/sendmail start,/etc/init.d/httpd stop, /etc/init.d/httpd start,/etc/init.d/mysqld stop,/etc/init.d/mysqld start
jj   ALL=NOPASSWD:/etc/init.d/fetchmail stop ,/etc/init.d/fetchmail start, /etc/init.d/sendmail stop,/etc/init.d/sendmail start,/etc/init.d/httpd start,/etc/init.d/httpd stop, /etc/init.d/mysqld stop,/etc/init.d/mysqld start

4.Using getfacl/setfacl we can assign the rights to individual user

 Rights to change files in /backup/baskar  and  /backup/jj
#setfacl -m user: baskar:rwx /opt/RT, /opt/RT
#setfacl -m user: jj:rwx /backup/baskar, /backup/jj

* Rights to change files in  /var/www/html/*
#setfacl -m user: baskar:rwx  /var/www/html/
#setfacl -m user: jj:rwx  /var/www/html/

* Rights to read files in /var/log/
#setfacl -m user: baskar:r /var/log
#setfacl -m user: jj:r /var/log

  1. Create separate group like baskarjjrwx and baskarjjr and assign the rights accordingly
setfacl -m group: baskarjjrwx:rwx /var/www/html/  /backup/baskar /backup/jj
setfacl -m group: baskarjjr:r /var/log

1 comment: