LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   add user to sudoers (http://www.linuxquestions.org/questions/linux-general-1/add-user-to-sudoers-918758/)

zimbot 12-14-2011 03:51 PM

add user to sudoers
 
Friends.
I have Opensuse 11.1 64
I wish to have a limited user be able to do some sudo commands without having to enter ( without having to know ) the root psswd.

specifically 1 cmnd

sudo umount media/restore.

here is the thing. I have a script that makes for easy peasy restore from a LTO4 data tape to an attached usb drive
that drive will be named 'restore' and it auto mounts under
/media/restore
at the end I would like to unmount the usb drive

I have looked at
http://www.susegeek.com/security/how...y-in-opensuse/

i must be missing something . currently using the yast tool.
I am cool with visudo,
in fact i would be ok with letting the user { usr = dog }
being able to sudo *Anything --all-- *
since this will happen via a script.
and the risk seems less thna telling them what root psswd is.

thanks!

andywebsdale 12-14-2011 04:24 PM

Here's what's in my /etc/sudoers file
Quote:

Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults !authenticate
# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
This works for me, but I'm not sure if its best security practice or not
Have a look at your existing file - there may be an existing group defined already, like the sudo group in here(might be called "wheel") - if there is, you just have to make the user a member of that group

Dark_Helmet 12-14-2011 07:41 PM

It's really very simple once you see a few examples.

For your task, just add this line (by using visudo):
Code:

dog  (ALL)=/bin/umount /media/restore
Commands in the sudoers file MUST begin with an absolute path. I don't know if that was part of your problem or not. It gave me grief once or twice.

Also, if you have scripted common tasks, you can give users permission to run those scripts as root--so that you don't have to give sudo permissions for each individual command.

EDIT:
Just to clarify, this will give user dog the ability to execute (as root) "sudo umount /media/resotre" and only that command. andywebsdale's solution would tackle the other option: allowing dog to execute any command.

Also, as a side-note, the user does not have to enter the path for umount to execute it (like was done in the sudoers file) as long as dog's command ultimately points to /bin/mount (after path expansion for instance).

zimbot 12-15-2011 08:36 AM

1st thanks to all for all the advice.
I have not tried any of this yet - i wish to ask just a bit more before i "dig in"

might it be true that i could grant the user dog full sudo ability.
meaning: they can sudo *any cmd* with out being prompted for a root password.
( and since this cmnd would happen within a script -- still hidden to the casual usr dog )

IF i from a term do a visudo
and add the below line

1
# User privilege specification
dog ALL=(ALL:ALL) ALL

or
2
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

and then i have to add usr dog to a group sudo.
I suppose that is like adding a usr to any group.

I think i like the "wider open door" approach

thanks much!


All times are GMT -5. The time now is 04:04 PM.