How to give nopasswd access to multiple commands via sudoers?
Solution 1
I have solved the issue by creating a new group for limited admin rights... name of that group is LimitedAdmins
after that I updated the sudoers
file as below.
The line I appended is:
%LimitedAdmins ALL=NOPASSWD: /usr/bin/apt-get*, /etc/init.d/apache2 restart
This is the complete /etc/sudoers
file:
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of directly modifying his file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
#includedir /etc/sudoers.d
%domain_name\\administrators ALL=(ALL) ALL
%LimitedAdmins ALL=NOPASSWD: /usr/bin/apt-get*, /etc/init.d/apache2 restart
It works perfectly fine in case if your system is domain or not.
Solution 2
Looks like comma is what you need.
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
...
user3 ALL= PRINTING
Solution 3
FWIW, I was wondering the same thing as the OP, and it looks like you can as well just duplicate the lines, e.g.
user_name ALL=NOPASSWD: cmd1
user_name ALL=NOPASSWD: cmd2
user_name ALL=NOPASSWD: cmd3
Solution 4
What I ended up doing was (Similar to what you are looking for):
## PRTG monitoring
Cmnd_Alias PRTG = /bin/cat /proc/loadavg, /bin/df, /var/prtg/scripts/check_proc.sh
prtg ALL = NOPASSWD: PRTG
Inside: /etc/sudoers.d/666-prtg
(666, because... well... prtg IS a windows based monitoring tool you know)
Related videos on Youtube
Program man
It's my passion and job... So I have to work on all flavors of Linux. I am launching my own company very soon in the IT sector. Thank you all for giving support and to start such a good platform for all Linux users. Ubuntu rocks... :) Please feel free to contact me in case of any query on [email protected]
Updated on September 18, 2022Comments
-
Program man over 1 year
Below is what I know:
I have to add this below line in
sudoers
file to give rights to the user for particular task.user_name ALL=NOPASSWD: /usr/bin/apt-get install
In this case I want to give access to this user to restart 2 services (i.e.
Apache
andMySQL
) with all install rights.Using the above line, I have given him all install rights, now do I have to add same line two more times to give the rights for services? Or can I just add those commands in the same line, separated by comma or something?
-
Karthik T over 11 years@Rishee I will try once I get home
-
Program man over 11 yearsmy sudores file contains below mentioned things.
-
hamstar almost 11 yearsYou're not supposed to put stuff after the
#includedir
line are you? -
Program man almost 11 years@hamstar Hey Hi! Yes you are right, thou I have used this configuration file in my company for more than 2 years now & it works perfectly fine. Even thou I would also recommend, to put the last two lines before
#includedir
. -
tgharold over 10 yearsOr better, put those two lines into a new file under /etc/sudoers.d instead of editing /etc/sudoers.
-
Program man over 10 years@tgharold Yes buddy!! You are right... it is really a better option than what I have suggested... :) Appreciate your idea will try to implement at my place as well.
-
HeatfanJohn about 10 yearsIs #includedir a comment? Or does the include happen automatically and the comment just reminds us of that?
-
Program man about 10 yearsYes, it is comment, but we should un-comment it and use that path to make changes to the sudoer's as that is the best option which is suggested by @tgharold
-
EdgeCaseBerg about 9 yearsI don't think you should use apt-get*, the sudo manual advises against using * after commands as they allow any text after the apt-get which might lead to security issues (in my understanding)
-
spkane almost 9 years#includedir /etc/sudoers.d is not a comment. It is an actual config parameter. That is why the space is missing after the hash/pound sign. see: sudo.ws/man/1.8.13/sudoers.man.html
-
Jruv over 4 yearsPay attention to the blank space before each command and after the comma symbol. It's very important, otherwise, you will get " /etc/sudoers: syntax error near line XX"