Question

21

Remove sudo access to specific file

rated 0 times [ 21] [ 0] / answers: 1 / hits: 3283 / 2 Years ago, sun, may 1, 2022, 6:56:04

I have a file on a ubuntu server which should only be accessible from one user. There are other users on the server with sudo permissions. I am trying to restrict the access of this file despite another user can just sudo to see/modify the contents.

I've looked into visudo which I've disabled chmod and chown commands. So the user cannot change the file permissions. I've looked into an access control list and from my understanding it's it would be able to be bypassed with sudo.

So my question is, how can I restrict the access to a file by one and only one user. Without having the ability to sudo in the bypass the permissions.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

afisird

Add To Favorites

Follow

Total Points: 193

Total Questions: 112

Total Answers: 111

Location: Angola

Member since Mon, Jul 12, 2021

3 Years ago

afisird questions

1 How to access virtual machine in KVM without ssh?

Wed, Jul 27, 22, 03:53, 2 Years ago

1 How do I repair Ubuntu after running the command: sudo rm /*

Wed, Feb 22, 23, 23:33, 1 Year ago

1 Downgrade kernel for ubuntu 22.04 LTS

Sun, Mar 12, 23, 18:05, 1 Year ago

1 bash: sort files by a number inside them

Sun, Dec 11, 22, 01:19, 1 Year ago

1 Safest way to install latest stable ffmpeg (>= 4.3) on Ubuntu 20.04 (ppa not working)?

Sun, May 14, 23, 13:17, 1 Year ago

View All

answered 2 Years ago rstride · Accepted Answer

The only way to do this is to deny access to sudo for those other users. If you have multiple people with sudo aka admin privileges you can't restrict access to sudo/root and are better off NOT keeping this file on the server. Especially if you don't trust everyone with administrative privileges on the system from not snooping your data.

Permissions to run anything as sudo is essentially equal to having root access but without the root account being unlocked. root has access to everything. You won't be able to stop that access.

Short of removing sudo from those users or adding special sudoers lines to define exactly what commands can be run via sudo by those other sudo-capable users (and nothing else, in this sense 'restricted' admin rights since they can't do just anything with their sudo), you have no options to protect against sudo / root viewing the file.

Other alternatives would be encrypting the file locally on your system BEFORE uploading, such as with gpg encryption or such. In those cases, even if they can access the file, they can't edit or view the contents because they're encrypted, and won't have your decryption codes necessary to read the files, even as root. However that's more complex and a bit outside the scope of the question you asked.