1

I am in the process of setting up specialized sudo for our first line support team. I would like to authorized them to delete anything within /var/log/. The command below however only applies to files directly in /var/log/ not its subdirectories. If they attempt to delete from /var/log/directory/file_name they are not permitted to delete the file. I've tried some reading, but cannot figure out how to change this command to make the permissions recursive. Any advice would be appreciated. 

%front_line ALL=(ALL) NOPASSWD: /bin/rm /var/log/*
techraf
  • 4,243
  • 8
  • 29
  • 44
Gary White
  • 66
  • 4
  • 3
    To my mind, this is what file permissions are for - particularly remembering that under UNIX, write-permission on the directory is all that's required to delete a file. Consider using a group, and `chmod -R g+sw /var/log` to do this. – MadHatter Feb 26 '16 at 16:48
  • 2
    rm -r /var/log/* ? – JFL Feb 26 '16 at 16:57
  • `rm -r /var/log/*` worked in my test. I think that'll be the winner! Thank you! – Gary White Feb 26 '16 at 17:02

2 Answers2

5

I think you are doing it wrongTM. You can't just delete log files like that, you mostly need to restart the relevant daemons that are generating the log files too. Server Fault is littered with questions from people who deleted a log file and then at some future date 'unexpectedly' ran out of disk space.

Many of the daemons writing to /var/log open the file at startup and then hold the file open till they restart or ( if programmed to do so ) they close and reopen the file when signaled. This means when you delete the file, it is still open, occupying disk space and growing.

Also note that your 'solution' in the comments will likely delete any subdirectories which may cause daemons to fail to startup correctly because the path to their log files does not exist.

To do this properly, you will have to analyse in detail what your front line staff need to do and to which files. You will then need to figure out if it is safe to delete a particular file or whether you will need to restart the daemon too. It is not as simple a job as you seem to think.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • Usually, you'd copy and truncate. And you'd do it with [`logrotate`](http://www.linuxcommand.org/man_pages/logrotate8.html), rather than manually with `rm`. – Parthian Shot Feb 29 '16 at 18:42
  • @ParthianShot Perhaps, it depends on the daemon and yeah for sure you'd prefer to use logrotate but the OP wants their first line people to be able to delete log files ... – user9517 Feb 29 '16 at 19:00
-1

Well, this is not an answer but i'd recommend you to never, NEVER use * in conjunction with binaries like rm. Just imagine the consequence of the following command

rm -rf /var/log/../../*

Your ruleset allows this command to be executed. You need to delevop your ruleset more carefully. Try to avoid * as much as possible.

user1700494
  • 1,642
  • 2
  • 12
  • 21