Sudoers file: how to add only certain tasks

NewRH · 10-06-2022, 04:45 AM

Hello,

I should allow one user to manage storage and install and manage softwares, but nothing more. I know I should modify the /etc/sudoers file but I cannot find the exact syntax to do so.

Thank you!

Turbocapitalist · 10-06-2022, 05:26 AM

Hello,

Start by listing the specific commands along with the exact options those commands need and the user groups which will need each specific list of commands+options. The details of managing packages will depend on your distro, and whether you mean graphically or via the shell.

The manual page for sudoers is useful but it is also very long and very hard to understand at first. So here are some examples to look at before checking the manual page "man sudoers" again:

Code:

%sys ALL=(root:root) /sbin/shutdown, /usr/bin/updatedb ""

That allows the accounts in the group 'sys' to run, as root, the utility shutdown with as many options as they want. At the same time the utility updatedb can be run as root but only without any options.

Code:

%adm ALL=(root:root) /usr/sbin/service apache2 start, \ 
     /usr/sbin/service apache2 stop, \
     /usr/sbin/service apache2 reload

That allows the accounts in the group 'adm' to run the utility service but only with the options "apache2 start", "apache2 stop", or "apache2 reload".

Which distro is this for, including version?

Emerson · 10-06-2022, 06:26 AM

Make sure you use 'visudo' to make changes, it is much safer than regular editor.

NewRH · 10-06-2022, 08:58 AM

Quote:

Originally Posted by Turbocapitalist

Hello,

Start by listing the specific commands along with the exact options those commands need and the user groups which will need each specific list of commands+options. The details of managing packages will depend on your distro, and whether you mean graphically or via the shell.

The manual page for sudoers is useful but it is also very long and very hard to understand at first. So here are some examples to look at before checking the manual page "man sudoers" again:

Code:

%sys ALL=(root:root) /sbin/shutdown, /usr/bin/updatedb ""

That allows the accounts in the group 'sys' to run, as root, the utility shutdown with as many options as they want. At the same time the utility updatedb can be run as root but only without any options.

Code:

%adm ALL=(root:root) /usr/sbin/service apache2 start, \ 
     /usr/sbin/service apache2 stop, \
     /usr/sbin/service apache2 reload

That allows the accounts in the group 'adm' to run the utility service but only with the options "apache2 start", "apache2 stop", or "apache2 reload".

Which distro is this for, including version?

Thank you! I am on RHEL 8.5