Allow certain guests to execute certain commands
Sudo
and the /etc/sudoers
file aren't just for granting users full root access.
You can edit the sudoers file with an existing sudo user, with the command sudo visudo
You can group the commands that you want to grant access to like below:
Cmnd_Alias SHUTDOWN_CMDS = /sbin/poweroff, /sbin/halt, /sbin/reboot
Cmnd_Alias UPDATE_COMMANDS = /usr/bin/apt-get
You can then give a specific user privileges to those commands like so:
[User's name] ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS, UPDATE_COMMANDS
This can be seen in the image below:
Now if you try sudo apt-get update
or sudo apt-get dist-upgrade
those commands will execute without asking for a password. If you want to be prompted for a password, remove the NOPASSWD
bit where you grant a user access to command groups.
If you try to run anything else as the sudo
user, you will be prompted for a password and fail.
References
- Ubuntu Docs - Sudoers
- How To Edit the Sudoers File on Ubuntu and CentOS
- Take Control of your Linux | sudoers file: How to with Examples
Related videos on Youtube
Programster
Updated on September 18, 2022Comments
-
Programster over 1 year
I would like to create a new user on some of my Debian/Ubuntu hosts that is able to update the server using the commands
apt-get update
andapt-get dist-upgrade
, but I do not wan't to give them full sudo access to be able to do anything else. Is this possible? Perhaps there is a way to create a script that they can't edit but can execute, which will get executed as the root user?-
Admin almost 9 yearsSee
man sudoers
andsudo cat /etc/sudoers
. -
Admin almost 9 yearsThanks @goldilocks I had always thought the sudoers file was just to allow people to be granted root access before.
-
-
Gilles 'SO- stop being evil' almost 9 yearsNote that giving users the permission to run
apt-get
, or even merelyapt-get upgrade
, gives them full root access! Many upgrade scripts allow the interactive user to execute a shell, for example when a configuration file has changed. To be safe, restrictapt-get
to certain commands, and force it to be non-interactive. See Is it safe for my ssh user to be given passwordless sudo forapt-get update
andapt-get upgrade
? -
Aleksey over 6 yearsIn my case I had to put the line after
%sudo ...