Whitelisting commands a user can use with sudo

linux bash centos sudo centos-7
6,501

Try to add something like this:

user ALL = (root) NOPASSWD: /bin/cmd1 args, /bin/cmd2 args

On the above line:

  • user is the user that needs access to the commands
  • /bin/cmd1 args, /bin/cmd2 args are the commands
  • root is the user under which the commands will be executed
Share:
6,501

Related videos on Youtube

edrw
Author by

edrw

Updated on September 18, 2022

Comments

  • edrw
    edrw over 1 year

    I've been attempting to set up a whitelist of commands a user can run on my system. The server I'm using is running CentOS 7. What is the syntax that should be used to only allow a certain group of commands and arguments to be run as sudo for a user? I'd also like for sudo to not require a password when calling these commands.

    I've tried:

    1. user ALL=/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

    2. user ALL=(user:group) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

    3. user ALL=(user) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

    4. user ALL=(/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2) NOPASSWD: ALL

    All of those attempts have resulted in a syntax error in the /etc/sudoers file.

    I've looked at this question: How to prevent sudo users from running specific commands? and also read this guide: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos. The question seems to indicate that the first attempt should have worked, while the guide seems to indicate that the second attempt should have worked. So what does work?

  • edrw
    edrw over 8 years
    Still results in a syntax error on that line when I save the file
  • cristi
    cristi over 8 years
    I got sudo user and commands mixed up. Try with the edit format
  • edrw
    edrw over 8 years
    So one of the commands I'm trying to whitelist is a /bin/chown user:group /some/folder and apparently the unescaped colon was causing a syntax error.
  • edrw
    edrw over 8 years
    What is root specifying here? It works with 'user ALL=NOPASSWD: /bin/cmd args, /bin/cmd2 args' as well.
  • Steen Schütt
    Steen Schütt over 3 years
    And ALL specifies that the rule applies on all hosts (if you were to copy the file elsewhere, for example), for anyone who is curious.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

BASH - Delete files older than 3 months?
Cronjob to check and restart service if dead
Linux Yum Fatal Python error: pycurl: libcurl link-time version is older than compile-time version
How to get percentage of processor use with bash?
NginX + PHP-FPM displays blank php pages
Have script run on very first startup of new CentOS 7 VM clone
-bash-4.2$ for command line?
chsh doesn't change shell
Install Google Earth on Linux Fedora (rpm)
Error: Could not find or load main class with OpenJDK and Oracle Java on CentOS 7