We all know sudo has an elevated access, that can perform most of the root action. So, we should not allow low end users to gain sudo stand for superuser do
access which leads to damage the system badly when they perform wrong action without their knowledge.
In some cases, Development team need elevated access to perform some action as root ,what you will do is those situation ?
Instead of permitting sudo access, we can allow a user to run required commands as root using their own password by adding the user to /etc/sudoers
file with following format.
[UserName] [HostName]=[Command1, Command2,..CommandN]
Details about /etc/sudoers Syntax :
UserName : Name of the normal user
HostName : System hostname where user going to perform the action.
Command : List of the commands user allowed to run, you can specify an arguments (including wildcards).
Alternatively we can allow the users to run the commands without password using following format/syntax.
[UserName] [HostName]= [NOPASSWD:] [Command1, Command2,..CommandN]
sudo logs are located at following location, for RPM based systems (RHEL/CentOS/Fedora) /var/log/secure
& DEB based systems (Ubuntu/Debian) /var/log/auth.log
.
Example-1 : Allow user to run commands with password
In this example, we will show you, how to allow user to run Apache service command with password.
Open /etc/sudoers
file and add the user with following format to accomplish this.
# visudo magi centos.2daygeek.com=/etc/init.d/httpd
We have permitted user magi
to run Apache commands
like start, stop, and restart and my system host name is centos.2daygeek.com
.
We are going to perform the following commands to check whether it’s working or not for user magi
.
$ sudo /etc/init.d/httpd stop $ sudo /etc/init.d/httpd start $ sudo /etc/init.d/httpd restart
For better understanding, navigate to sudo log file and see, because sudo command has logged everything.
# tail -f /var/log/secure Jul 20 16:48:24 vps138235 sudo: magi : TTY=pts/1 ; PWD=/home/magi ; USER=root ; COMMAND=/etc/init.d/httpd stop Jul 20 16:51:52 vps138235 sudo: magi : TTY=pts/1 ; PWD=/home/magi ; USER=root ; COMMAND=/etc/init.d/httpd start Jul 20 16:51:59 vps138235 sudo: magi : TTY=pts/1 ; PWD=/home/magi ; USER=root ; COMMAND=/etc/init.d/httpd restart
Note : When the user trying to run any other command apart from Apache service, it will throw permission denied error. See below.
$ sudo /etc/init.d/mysqld stop Sorry, user magi is not allowed to execute '/etc/init.d/mysqld stop' as root on centos.2daygeek.com.
Example-2 : Allow user to run commands without password
In this example, we will show you, how to allow user to execute chown
command on root user files (By default normal user can’t change the root user file permission).
Open /etc/sudoers
file and add the user with following format to accomplish this.
# visudo magi centos.2daygeek.com=NOPASSWD: /bin/chown
We have permitted user magi
to run chown command
as root without asking sudo password. We are going to change the httpd.conf
file permission from root to mine.
Before perform action:
# ls -lh /etc/httpd/conf/httpd.conf -rw-r--r-- 1 root root 34K Jul 7 06:34 /etc/httpd/conf/httpd.conf
We are going to perform the following command to check whether its working or not for user magi
.
$ sudo chown magi:magi /etc/httpd/conf/httpd.conf
After action performed:
# ls -lh /etc/httpd/conf/httpd.conf -rw-r--r-- 1 magi magi 34K Jul 7 06:34 /etc/httpd/conf/httpd.conf
Example-3 : Allow user to run commands with particular arguments
In this example, we will show you, how to allow user to run MySQL service command with particular arguments.
Open /etc/sudoers
file and add the user with following format to accomplish this.
# visudo magi centos.2daygeek.com=/etc/init.d/mysqld restart
We have permitted user magi
to run mysql restart
command only instead of permitting all like start, stop, and restart.
$ sudo /etc/init.d/mysqld restart [sudo] password for magi: Stopping mysqld: [ OK ] Starting mysqld: [ OK ]
Its throwing error, when we are trying to run other MySQL service commands.
$ sudo /etc/init.d/mysqld stop [sudo] password for magi: Sorry, user magi is not allowed to execute '/etc/init.d/mysqld stop' as root on centos.2daygeek.com.
Example-4 : Allow user to run various commands
In this example, we will show you, how to allow user to run various commands.
Open /etc/sudoers
file and add the user with following format to accomplish this.
# visudo magi centos.2daygeek.com=/sbin/halt, /bin/kill
We have permitted user magi
to run halt
& kill
commands.
Example-5 : Allow user to run commands with wildcards
In this example, we will show you, how to allow user to run all commands under /bin
with wildcards option.
Open /etc/sudoers
file and add the user with following format to accomplish this.
# visudo magi centos.2daygeek.com=/bin/*
We have permitted user magi
to run any commands under /bin
like chmod, chown, fdisk, etc.,.
Example-6 : Allow Group to run commands with password
In this example, we will show you, how to allow group (group of users) to run commands.
[%][GroupName] [HostName]=[Command1, Command2,..CommandN]
/etc/sudoers Syntax For Group :
% : Allows user in the group to perform action.
GroupName : Name of the Group
HostName : System host name where user going to perform the action.
Command : List of the commands user allowed to run, you can specify an arguments (including wildcards).
Let’s imagine, we have a group called 2daygeek
and magi
& daygeek
are members.
# grep "2daygeek" /etc/group 2daygeek:x:502:magi,daygeek
Open /etc/sudoers
file and add the group
with following format to accomplish this.
# visudo %2daygeek centos.2daygeek.com=/etc/init.d/httpd
We have permitted people in group 2daygeek
to run Apache Service
commands. Check the below log for better understanding.
Jul 21 07:26:27 vps138235 sudo: magi : TTY=pts/1 ; PWD=/home/magi ; USER=root ; COMMAND=/etc/init.d/httpd stop Jul 21 07:29:07 vps138235 sudo: daygeek : TTY=pts/2 ; PWD=/home/daygeek ; USER=root ; COMMAND=/etc/init.d/httpd start
We have performed Apache Stop
command from magi & Apache Start
command from daygeek.
A great article, thank you!
And how to gain a particular access to any group, not a single user?
Thank and good question. I have included in the article, how to permit group to perform the action, refer the Example-6.
Sorry, I found it.
Thank you!