From SysadminPunk Wiki!
Giving Specific Users Root Access to Certain Commands and Files
- Apart from I.T. users some Developers may need to look at or manipulate log files from certain application or services
- For example tailing or cat'ing a file
Determine what the User needs to access and run
Add user and permissions to /etc/sudoers file using 'visudo' command.
# visudo
Add user under the 'User_Alias' specification
User_Alias BOX_CONTROL = bernard
User_Alias WEBMASTERS = mike, travis, bernard
Add Commands User is allowed to run with the 'Cmnd_Alias' specification
Cmnd_Alias REBOOT = /sbin/shutdown -r
Cmnd_Alias APACHE = /usr/sbin/apache2ctl
Cmnd_Alias TAIL = /usr/bin/tail
Add User and Alias specification to the User privilege specification area
BOX_CONTROL ALL = PASSWD : REBOOT
WEBMASTERS ALL = NOPASSWD : APACHE, TAIL
Mail Example
# mail sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
User_Alias MAILMAN = travis
# Cmnd alias specification
# Cmnd_Alias APACHE = /usr/local/sbin/kickapache
Cmnd_Alias TAIL = /usr/bin/tail
Cmnd_Alias CAT = /bin/cat
Cmnd_Alias MREPORT = /usr/bin/mailreport
# Defaults specification
# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# CVE-2006-0151)
Defaults always_set_home
Defaults env_reset
# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
# Runas alias specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# SUDO MASTERS
rick ALL = (ALL) ALL
bernard ALL = (ALL) ALL
# SUDO Groups and Permissions
MAILMAN ALL = NOPASSWD : CAT /var/log/*
MAILMAN ALL = NOPASSWD : TAIL -f /var/log/*
MAILMAN ALL = NOPASSWD : MREPORT
MAILMAN ALL = NOPASSWD : /bin/ls /var/log*
Apache Web Host Example
# Host alias specification
# User alias specification
User_Alias ADMINS = rick,
User_Alias WIKI_ADMIN = wikiadmin
User_Alias WEBMASTERS = rick, travis, mike
# Cmnd alias specification
Cmnd_Alias APACHE_CTRL = /usr/sbin/apache2ctl
Cmnd_Alias WEBMASTER = /etc/init.d/apache2
Cmnd_Alias TAIL = /usr/bin/tail -f
Cmnd_Alias VI = /usr/bin/vi
Cmnd_Alias CAT = /bin/cat
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias WIKI_EDIT = /usr/bin/vi /home/devwiki/public_html*
# User privilege specification
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
# Sudo Groups and Permissions
WIKI_ADMIN ALL = NOPASSWD : APACHE_CTRL, WIKI_EDIT
ADMINS ALL = NOPASSWD : ALL
WEBMASTERS ALL = NOPASSWD : WEBMASTER
# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
Defaults always_set_home
Defaults insults
Defaults syslog=auth
Defaults>root !set_logname
Defaults:ADMINS !lecture
Defaults log_year, logfile=/var/log/sudo.log
Defaults editor=/usr/bin/vi
Defaults env_reset
