Whitelisting commands a user can use with sudo
Try to add something like this:
user ALL = (root) NOPASSWD: /bin/cmd1 args, /bin/cmd2 args
On the above line:
- user is the user that needs access to the commands
- /bin/cmd1 args, /bin/cmd2 args are the commands
- root is the user under which the commands will be executed
Related videos on Youtube
edrw
Updated on September 18, 2022Comments
-
edrw over 1 year
I've been attempting to set up a whitelist of commands a user can run on my system. The server I'm using is running CentOS 7. What is the syntax that should be used to only allow a certain group of commands and arguments to be run as sudo for a user? I'd also like for sudo to not require a password when calling these commands.
I've tried:
user ALL=/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL
user ALL=(user:group) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL
user ALL=(user) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL
user ALL=(/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2) NOPASSWD: ALL
All of those attempts have resulted in a syntax error in the /etc/sudoers file.
I've looked at this question: How to prevent sudo users from running specific commands? and also read this guide: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos. The question seems to indicate that the first attempt should have worked, while the guide seems to indicate that the second attempt should have worked. So what does work?
-
edrw over 8 yearsStill results in a syntax error on that line when I save the file
-
cristi over 8 yearsI got sudo user and commands mixed up. Try with the edit format
-
edrw over 8 yearsSo one of the commands I'm trying to whitelist is a /bin/chown user:group /some/folder and apparently the unescaped colon was causing a syntax error.
-
edrw over 8 yearsWhat is root specifying here? It works with 'user ALL=NOPASSWD: /bin/cmd args, /bin/cmd2 args' as well.
-
Steen Schütt over 3 yearsAnd
ALL
specifies that the rule applies on all hosts (if you were to copy the file elsewhere, for example), for anyone who is curious.