LET-M-READ - Controlled Read Access to Linux Users

Updated on:

An Open Source tool to grant controlled read access to unprivileged users on UNIX based OS to read log files or config files etc. With LET-M-READ system admins can give read access to unprivileged or Guest users. without changing the file permissions (or) directory permissions.
 
LET-M-READ can help mostly while you want to give the Developers and Support teams a READ privilege to access the Apache, weblogic, WebSphere logs or any logs available in the server

LET-M-READ

Simply put, LET-M-READ makes it possible for an Unprivileged User to read files (i.e logs) using various system commands like
  • more
  • tail
  • tail with f
  • less
  • cat

You as System Admin would no longer have to change the file permission or directory permission to let the developers (or) support engineers access that log file or configuration file.

There by you are isolating and controlling who is reading the log file at what time etc.

Either Temporary or permanent. LET-M-READ will take care of it and logs what they are reading. Still everything is in your control.

 

Features

  • User Authentication Enabled ( Maintains in own Secure file based User Database, SaltString used to encrypt and decrypt the passwords can be changed)
  • Event Log capture on what the user has read
  • Easy UserAddition
  • User-Friendly
  • Provides more options to unprivileged users for reading files
  • Controlled Access

 

Prerequisites

  • LET-M-READ should be stored and secured as root user to keep it fully functional and protected.
  • Perl 5.10 or above must be present in the server with Switch module
  • The commands being used by LET-M-READ less, more, tail, cat must be installed and have proper path precedence and defined in environment variable $PATH. As LET-M-READ will invoke the commands without path (not like /usr/local/bin/more it is just 'more')

 

Supported Operating System

Unix based OS with Perl 5.10 and above ( with switch module)

 

The Scenario

For Instance, Let's say I have a user named "testuser" who is a developer or test engineer and I want to grant him an access to read log files from the directory /etc/httpd/logs using let-m-read. We will see how to get this done with LET-M-READ in few simple steps

 

How to Use?

  • Download the Zip file from GITHUB & Uncompress it
  • Add the User in LET-M-READ
  • Update the Sudoers file
  • Ask the user to test

 If you are having GIT installed? Just do

git pull https://git.io/fxsBX

 

Download

Download the Zip file from https://github.com/AKSarav/LET-M-READ and uncompress it in your desired location

 

Step1: AddUser

LET-M-READ comes with Additional Security. So its required to setup the userid.
Execute the adduser module as follows.
./adduser

 

Step2: Update Sudoers File

As per our requirement, we should grant read access for only /opt/securedir to 'testuser'.
Make sure the user "testuser" is present using 'id' command

 

id testuser

 

First, you’ll need to use the visudo utility…
sudo visudo

 

Add an entry in Sudoers file with the LET-M-READ command the Log Directory. The following Syntax explanation could help you understand
testuser ALL=(ALL) NOPASSWD: /opt/lmr/letmread /etc/httpd/logs

 

Here:
/opt/lmr/letmread -> Fully qualified location where you have uncompressed and saved the letmread
/etc/httpd/logs -> The Log Directory, for which you want to grant access to the 'testuser'
Now you can communicate to the 'testuser', what is the command he has to execute and what is the let-m-read password he should use.

 

Testing: Invoking LET-M-READ (as testuser)

Now the user has to execute the following command ( the one we defined in sudoers)

 sudo /opt/lmr/letmread /etc/httpd/logs

 

That's it. Now the user can enjoy reading the file with many commands like more, tail, less etc... and as the Infrastructure Owner you no need to worry about changing the file permissions (or) ownership.
 

 

 

The Complete TrailRun (Setup & Testing)

 

Event Logging

 [Oct 07 05:31:22:22]	'testuser' Reading '/etc/httpd/logs/access_log' with command 'm'
 [Oct 07 05:32:52:52]	'testuser' Reading '/etc/httpd/logs/access_log' with command 'l'
 [Oct 07 05:45:02:02]	'testuser' Reading '/etc/httpd/logs/access_log' with command 'm'
 [Oct 07 05:46:00:00]	'testuser' Reading '/etc/httpd/logs/access_log' with command 'l'
 [Oct 07 05:47:32:32]	'testuser' Reading '/etc/httpd/logs/access_log' with command 'tf'

 

The content of ZipFile.

  1. adduser -   this module can be used for adding new username into LET-M-READ
  2. letmread -  this is the core logic module and heart of LET-M-READ
  3. license.txt - GPL V3 License Document
  4. more_instructions.txt - A supplementary text file being used by LET-M-READ
  5. README.md - GIT repository Readme file.

 

Some screenshots:

 

Security - Changing the Salt String

As said earlier, LET-M-READ saves the username as encrypted text in a file named .pwfile and this file resides (or) gets created at the location where the letmread and adduser scripts are present  in other words, the Base directory of LET-M-READ

 For Encryption and Decryption we use a SHA256 SaltString which can be changed directly by editing the adduser and letmread scripts

In case you are changing the Salt String. You would have to recreate all the user names, already stored in the .pwfile

 

Disclaimer

This tool is created by me with no guarantee or warranty that it will work/satisfy all your needs and It is OpenSource.  You can modify it edit to suit all your needs.  You can first try it in your Development environments before going to production. user discretion is advised

 

FAQ:

1. What Guarantee does it provide that my log files are safe and it will not do any mess with my log file?

As tested by various users and by me for a long time, we never have seen that happening and LET-M-READ have never made any mess with the log file or left the log file in incompatible State. However user discretion is advised.

2. What Language this is developed in?

perl

3. Who is backing this tool (or) any commercial version available

I (SaravAK) Created this as my side project and It is Open Source

 

Hope it helps.

I would be happy to see your feedback through comments. Help LET-M-READ to improve by providing any suggestion/feedback.

If you find any bug/ want to suggest any moderation please use GitHub (or) comment here.

How would you like to rate this article and Tool [ratings]

Cheers,
SaravAK

Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content

More from Middleware Inventory

  • Remote Server - File System Lister [Linux]

    Have you ever  had the requirement of logging in to the Nnumber of remote servers (without keybased authentication ) and  get the mount point information and save it as CSV Report (or) Print it with a good console formatting. Then this is for you. Basically, It is a Shell script (…

  • MOD_JK Installation and Configuration - Apache HTTPD and Tomcat

    Apache and Tomcat are the A and B of middleware that everyone learns and they have widely used web server and application server across the world( sometimes referred to as just web container as it does have no EJB) It's like a sandbox for every rookie to learn things and…

  • Find Empty Directories in Linux - When there is no Empty Option

    The Objective of this post gives you a hack to find Empty Directories in Unix Where there is no -empty option supported with the find command   I have recently had a requirement of finding the empty directories in mount point (or) file system where there is no "-empty" option…

  • Weblogic 12c installation/implementation in Linux with GUI

    Overview The objective of this Post is to talk about the step by step process of installing the weblogic 12c in GUI mode and creating the domains. Here is a Quick Summary of what we will be discussing on this post System requirements Creating dedicated user and group for weblogic…