Allow User to Run Specific Commands as Root

Sudo Access

In this tutorial, I am going to explaining  how to allow user and group to run specific command as root and looking some other tricks. To learn about the basic, read the following article from the links below:

1.) Restrict a user “sam” to run only some root (or super) command.

Lets give “sam” user to run only #yum, #userdel and #groupadd command access. Before that first check the command path by using following command.

#which yum, #which userdel, # which groupadd

[root@server1 ~]# which yum
/usr/bin/yum
[root@server1 ~]# which userdel
/usr/sbin/userdel
[root@server1 ~]# which groupadd
/usr/sbin/groupadd
[root@server1 ~]#

Now, Edit the /etc/sudoers file and assign above paths using visudo, as shown below.

#visudo 

## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
sam     ALL=(ALL)       /usr/bin/yum, /usr/sbin/userdel, /usr/sbin/groupadd

Now, Login using “sam” user and try assigned commands.

[root@server1 ~]# su - sam
[sam@server1 ~]$ sudo userdel amit

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for sam: 
[sam@server1 ~]$ sudo groupadd Network
[sam@server1 ~]$ sudo yum install net-toolsLoaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package net-tools.x86_64 0:2.0-0.17.20131004git.el7 will be installed

......
Transaction Summary
================================================================================
Install  1 Package

Total download size: 304 k
Installed size: 917 k
Is this ok [y/d/N]: y

As shown above “sam” user can execute root (or super) command using sudo.

2.) Allow  a  “Network” group to run only network related root commands.

First check the members of “Network” group.

#  cat /etc/group

[root@server1 ~]# tail -n 3 /etc/group
Network:x:1005:sam,frank,anil
itcare:x:1006:
anil:x:1007:
[root@server1 ~]#

Gives the network commands access to “Network” group, first uncomment(line number 27) the following line.

## Command Aliases
## These are groups of related commands...

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net,
 /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

Note: NETWORKING is the name of command alias.

Now, Edit the sudoers file as shown below.

#visudo

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL
%Network ALL=(ALL)       NETWORKING
## Same thing without a password

Replace “ALL” with “NETWORKING” from last field of Network group.

Now login as one of the user of “Network” group try Networking commands.

[root@server1 ~]# su - anil
[anil@server1 ~]$ sudo iptables -vnL

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for anil: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2828  211K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    5   315 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           

3.) Build a customize commands alias and assign it to “Network” group with n/w commands.

First we need to create  an alias say “CUSTOM” with some command and assign it to “Network” group with alias of NETWOKING.

#visudo

## customize commands 
Cmnd_Alias CUSTOM = /bin/systemctl, /bin/mount, /bin/umount

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.

Now assign it to “Network” group.

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL
%Network ALL=(ALL)      NETWORKING, CUSTOM
## Same thing without a password

Now login as one of the user of “Network” group try Networking as well as Custom commands.

[root@server1 ~]# su - frank
Last login: Mon Sep 19 11:26:30 EDT 2016 on pts/1
[frank@server1 ~]$ sudo systemctl restart vsftpd.service
[sudo] password for frank: 
[frank@server1 ~]$ df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root  7.0G  824M  6.2G  12% /
devtmpfs                 487M     0  487M   0% /dev
tmpfs                    497M     0  497M   0% /dev/shm
tmpfs                    497M  6.6M  490M   2% /run
tmpfs                    497M     0  497M   0% /sys/fs/cgroup
/dev/mapper/centos-home  2.0G   33M  2.0G   2% /home
/dev/mapper/centos-var   1.9G  183M  1.7G  10% /var
/dev/sda1                297M  114M  184M  39% /boot
tmpfs                    100M     0  100M   0% /run/user/0
/dev/sdc1                9.8G  7.4G  1.9G  80% /centos7
[frank@server1 ~]$ umount /centos7
umount: /centos7: umount failed: Operation not permitted
[frank@server1 ~]$ sudo umount /centos7
[frank@server1 ~]$ df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root  7.0G  824M  6.2G  12% /
devtmpfs                 487M     0  487M   0% /dev
tmpfs                    497M     0  497M   0% /dev/shm
tmpfs                    497M  6.6M  490M   2% /run
tmpfs                    497M     0  497M   0% /sys/fs/cgroup
/dev/mapper/centos-home  2.0G   33M  2.0G   2% /home
/dev/mapper/centos-var   1.9G  183M  1.7G  10% /var
/dev/sda1                297M  114M  184M  39% /boot
tmpfs                    100M     0  100M   0% /run/user/0
[frank@server1 ~]$

4.) Prevent sudo users from running specific commands.

Let’s the sam user don’t run #shutdown and #fdisk command line.

# visudo

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
sam     ALL=(ALL)       ALL, !/sbin/shutdown, !/sbin/fdisk
## Allows members of the 'sys' group to run networking, software,

This means that user sam may run any commands except shutdown and fdisk commands.

[root@server1 ~]# su - sam
Last login: Mon Sep 19 11:54:06 EDT 2016 on pts/1
[sam@server1 ~]$ sudo fdisk -l
[sudo] password for sam: 
Sorry, user sam is not allowed to execute '/sbin/fdisk -l' as root on server1.
[sam@server1 ~]$ sudo shutdown -r now
[sudo] password for sam: 
Sorry, user sam is not allowed to execute '/sbin/shutdown -r now' as root on server1.
[sam@server1 ~]$ sudo mount /dev/sdc1 /centos7
[sudo] password for sam: 
[sam@server1 ~]$ df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root  7.0G  824M  6.2G  12% /
devtmpfs                 487M     0  487M   0% /dev
tmpfs                    497M     0  497M   0% /dev/shm
tmpfs                    497M  6.6M  490M   2% /run
tmpfs                    497M     0  497M   0% /sys/fs/cgroup
/dev/mapper/centos-home  2.0G   33M  2.0G   2% /home
/dev/mapper/centos-var   1.9G  184M  1.7G  10% /var
/dev/sda1                297M  114M  184M  39% /boot
tmpfs                    100M     0  100M   0% /run/user/0
/dev/sdc1                9.8G  7.4G  1.9G  80% /centos7
[sam@server1 ~]$

Note: The same can be done for groups also, try it!!

5.) Gives sudo rights only to specific script file.

This task is very simple, Edit the sudoers file and add the script file path, as shown below.

#visudo

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
sam     ALL=(ALL)       /home/sam/script.sh

## Allows members of the 'sys' group to run networking, software,

Now login as “sam”  user and try to execute above script using sudo.

[root@server1 ~]# su - sam
Last login: Mon Sep 19 12:26:28 EDT 2016 on pts/1
[sam@server1 ~]$ cat script.sh
#!/bin/bash 
mount /dev/sdc1 /centos7
[sam@server1 ~]$ df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root  7.0G  824M  6.2G  12% /
devtmpfs                 487M     0  487M   0% /dev
tmpfs                    497M     0  497M   0% /dev/shm
tmpfs                    497M  6.6M  490M   2% /run
tmpfs                    497M     0  497M   0% /sys/fs/cgroup
/dev/mapper/centos-home  2.0G   33M  2.0G   2% /home
/dev/mapper/centos-var   1.9G  184M  1.7G  10% /var
/dev/sda1                297M  114M  184M  39% /boot
tmpfs                    100M     0  100M   0% /run/user/0
[sam@server1 ~]$ sudo /home/sam/script.sh 
[sam@server1 ~]$ df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root  7.0G  824M  6.2G  12% /
devtmpfs                 487M     0  487M   0% /dev
tmpfs                    497M     0  497M   0% /dev/shm
tmpfs                    497M  6.6M  490M   2% /run
tmpfs                    497M     0  497M   0% /sys/fs/cgroup
/dev/mapper/centos-home  2.0G   33M  2.0G   2% /home
/dev/mapper/centos-var   1.9G  184M  1.7G  10% /var
/dev/sda1                297M  114M  184M  39% /boot
tmpfs                    100M     0  100M   0% /run/user/0
/dev/sdc1                9.8G  7.4G  1.9G  80% /centos7
[sam@server1 ~]$

As above, “sam” user successfully mount the disk using sudo command.!!!

Read Also Allow alias User to Run Specific Commands as Root

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz