...
Code Block |
---|
|
# Members of the staff group may gain root privileges
%staff ALL=(ALL) ALL |
Granting Non-staff User to use sudo with Certain Commands
In some cases you might want a non-staff user (Roderick can we do group too, it would be better) to certain commands. Usual scenarios are to restart services that require root such as Apache (that would be a better example here)
Scroll to the bottom and enter the username in this case we use the name bob and enter the commands you would like bob to be able to sudo with, in this case we want bob to be able to create directories
Code Block |
---|
|
bob ALL=(root) /bin/mkdir |
Now test the command
Lets use the find command if you do not know what to add the error message tells you the path that needs to be added to the file as an example lets display the find command error
Code Block |
---|
|
Sorry, user bob is not allowed to execute '/usr/bin/find something' as root on prodserver |
Now that we have the command path just add that to bob in the visudo file and test. For multiple commands separate with a comma
Code Block |
---|
|
bob ALL=(root) /bin/mkdir, /usr/bin/find |
To use sudo without being prompted for a password add NOPASSWD:
Code Block |
---|
|
bob ALL=(root) NOPASSWD: /bin/mkdir, /usr/bin/find |
Create Catch-All serveradmin user
The purpose of serveradmin is the catch-all place to setup things like scripts. It may also, depending on requirements for your organization be used to manually setup software like application servers.
...
Code Block |
---|
|
sudo useradd -d /home/remotebackup -m -g backup -u 3001 -c "Remote Backup" -s /bin/bash remotebackup |
Granting Non-staff User to use sudo with Certain Commands
In some cases you might want a non-staff user (Roderick can we do group too, it would be better) to certain commands. Usual scenarios are to restart services that require root such as Apache (that would be a better example here)
Scroll to the bottom and enter the username in this case we use the name bob and enter the commands you would like bob to be able to sudo with, in this case we want bob to be able to create directories
Code Block |
---|
|
bob ALL=(root) /bin/mkdir |
Now test the command
Lets use the find command if you do not know what to add the error message tells you the path that needs to be added to the file as an example lets display the find command error
Code Block |
---|
|
Sorry, user bob is not allowed to execute '/usr/bin/find something' as root on prodserver |
Now that we have the command path just add that to bob in the visudo file and test. For multiple commands separate with a comma
Code Block |
---|
|
bob ALL=(root) /bin/mkdir, /usr/bin/find |
To use sudo without being prompted for a password add NOPASSWD:
Code Block |
---|
|
bob ALL=(root) NOPASSWD: /bin/mkdir, /usr/bin/find |