Giving limited Sudo privilege to a user

14.04 sudo steam
5,558

You can use command aliases to limit what commands the user can run as sudo - e.g. this /etc/sudoers restricts the user to commands needed to do admin:

# define host aliases
Host_Alias HOSTNAME = laptop

# define command aliases
Cmnd_Alias ARCH = /bin/tar, /bin/gzip, /bin/gunzip
Cmnd_Alias CRYPT = /sbin/losetup, /sbin/cryptsetup
Cmnd_Alias DIR = /bin/mkdir, /bin/rmdir
Cmnd_Alias DEVICE = /sbin/ifup, /sbin/ifdown
Cmnd_Alias DISK = /bin/mount, /bin/umount
Cmnd_Alias EDIT = /usr/bin/nano, /usr/bin/gedit
Cmnd_Alias FILE = /bin/cp, /bin/echo, /bin/ln, /bin/mv, /bin/rm, /usr/bin/touch, /usr/bin/rename
Cmnd_Alias FORMAT = /sbin/mkfs.ext2, /sbin/mkfs.ext3, /sbin/mkfs.ext4, /sbin/mkfs.msdos, /sbin/mkfs.vfat
Cmnd_Alias NAV = /usr/bin/nautilus
Cmnd_Alias NETWORK = /sbin/route, /sbin/iptables, /usr/bin/nmap, /usr/sbin/hping3
Cmnd_Alias PERM = /bin/chattr, /bin/chgrp, /bin/chmod, /bin/chown
Cmnd_Alias PROCESS =  /usr/bin/ps, /bin/kill, /usr/bin/killall, /sbin/shutdown
Cmnd_Alias SELINUX = /usr/sbin/semanage, /usr/bin/chcon, /sbin/restorecon, /usr/sbin/setsebool
Cmnd_Alias SERVERS = /etc/init.d/network, /etc/init.d/cups, /etc/init.d/nfs, /etc/init.d/httpd, /etc/init.d/vsftpd
Cmnd_Alias SERVICE = /usr/bin/systemctl, /sbin/chkconfig, /sbin/service, /usr/sbin/updatedb
Cmnd_Alias SOFTWARE = /usr/bin/dpkg, /usr/bin/apt-get
Cmnd_Alias VIEW = /bin/cat, /usr/bin/du, /bin/ls, /bin/tree, /bin/top, /bin/tails

# define access
root ALL = (ALL) ALL
wilf HOSTNAME = NOPASSWD: ARCH, CRYPT, DIR, DISK, DEVICE, EDIT, FILE, FORMAT, NAV, NETWORK, PERM, PROCESS, SERVERS, SERVICE, SOFTWARE, VIEW

Don't just copy and paste this. Read the manual (man sudoers) and try and understand what it does first to keep your system secure. Particularly the NOPASSWD bits (the above is intended for device that doesn't need that great security). Also check afterwards whether users can't sudo -i around it etc.

You can also assign commands to specific groups instead of individual users. For example, to allow users in the group wheel (this needs to exist and have the needed users added to it) to shutdown the computer with sudo shutdown... and no password:

 %wheel ALL= NOPASSWD: /sbin/shutdown

With the specifics of getting a steam application (or a certain program) to run, find/create a launcher for it (usually in ~/.local/share/applications if done by a local user), you can use that to find the command you need to run it - please note this usually refers to a program stored in ~/.local/share. HOWEVER, usually giving a user sudo access to a script in a editable directory is a REALLY BAD IDEA as they could swap out the script with their own one to get elevated access. If you do want to give them access to a few scripts, make sure they are only editable by root (e.g. in /sbin with the correct permission). If you don't trust a user, don't give them sudo access.

Share:
5,558
Devlin Wirkkala
Author by

Devlin Wirkkala

Updated on September 18, 2022

Comments

  • Devlin Wirkkala
    Devlin Wirkkala over 1 year

    I've heard it can be done but have found no documentation on it. Specifically I want to give someone the ability to use their password as sudo for a steam application.

    • Wilf
      Wilf almost 9 years
      Why do you need to run steam as root?
    • Wilf
      Wilf about 7 years
      EDIT yes I know really old games require root permission. Sadly it may be best to avoid these...
  • Nullpointer
    Nullpointer about 7 years
    I've create custom file on /etc/sudoers.d/ folder and comment(%sudo and %smith) on sudoers file for smith user but still sudo is working, can you say that why ?
  • Wilf
    Wilf about 7 years
    Based on your question here that may not be the easiest/best solution - what did you put after the %smith etc lines? If you do ask a new question please specify what they need to be able to access, and show the sudoers etc methods you have tried. BTW it may be best to give the users only sudo access to some custom scripts (WITH LIMITED USER INPUT).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

"Sorry, user user1 is not allowed to execute '/bin/ls' as root on hostname"
How do you update an old Integrated Intel GPU's drivers to work with Steam?
Use Steam's In-Home Streaming across VPN (OpenVPN)?
Can't exec “locale”: No such file or directory
Authentication Failure while accessing super-user privilege
Ubuntu terminal cant type special characters like backslash (\), slash(/), semicolon (:), etc properly
How to uninstall steam64 for linux/ubuntu?
Steam won't start on Ubuntu 14.04.1
Can't install Steam because of unmet dependencies
/var/log/secure not present in 14.04 ,is there any alternative?