Allow certain guests to execute certain commands

permissions sudo privileges
71,849

Sudo and the /etc/sudoers file aren't just for granting users full root access.

You can edit the sudoers file with an existing sudo user, with the command sudo visudo

You can group the commands that you want to grant access to like below:

Cmnd_Alias SHUTDOWN_CMDS = /sbin/poweroff, /sbin/halt, /sbin/reboot
Cmnd_Alias UPDATE_COMMANDS = /usr/bin/apt-get

You can then give a specific user privileges to those commands like so:

[User's name] ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS, UPDATE_COMMANDS

This can be seen in the image belowenter image description here:

Now if you try sudo apt-get update or sudo apt-get dist-upgrade those commands will execute without asking for a password. If you want to be prompted for a password, remove the NOPASSWD bit where you grant a user access to command groups.

If you try to run anything else as the sudo user, you will be prompted for a password and fail.

References

Share:
71,849

Related videos on Youtube

Programster
Author by

Programster

Updated on September 18, 2022

Comments

  • Programster
    Programster over 1 year

    I would like to create a new user on some of my Debian/Ubuntu hosts that is able to update the server using the commands apt-get update and apt-get dist-upgrade, but I do not wan't to give them full sudo access to be able to do anything else. Is this possible? Perhaps there is a way to create a script that they can't edit but can execute, which will get executed as the root user?

    • Admin
      Admin almost 9 years
      See man sudoers and sudo cat /etc/sudoers.
    • Admin
      Admin almost 9 years
      Thanks @goldilocks I had always thought the sudoers file was just to allow people to be granted root access before.
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' almost 9 years
    Note that giving users the permission to run apt-get, or even merely apt-get upgrade, gives them full root access! Many upgrade scripts allow the interactive user to execute a shell, for example when a configuration file has changed. To be safe, restrict apt-get to certain commands, and force it to be non-interactive. See Is it safe for my ssh user to be given passwordless sudo for apt-get update and apt-get upgrade?
  • Aleksey
    Aleksey over 6 years
    In my case I had to put the line after %sudo ...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to make everything run as root in ubuntu?
Open file or application as root from GUI
How can I have a PHP script run a shell script as root?
Should Vagrant require sudo for each command?
Allow chown command to www-data user
"Sorry, user user1 is not allowed to execute '/bin/ls' as root on hostname"
Why should I be installing my applications in the /opt location?
Sudo is not asking for password on Ubuntu 16.04
Editing sudoers.d to allow www-data run a specific file
Difference between sudo -u and su -c