57

Below is what I know:

I have to add this below line in sudoers file to give rights to the user for particular task.

user_name ALL=NOPASSWD: /usr/bin/apt-get install

In this case I want to give access to this user to restart 2 services (i.e. Apache and MySQL) with all install rights.

Using the above line, I have given him all install rights, now do I have to add same line two more times to give the rights for services? Or can I just add those commands in the same line, separated by comma or something?

lucke84
  • 105
  • 4
Hrish
  • 2,313
  • 13
  • 42
  • 63

4 Answers4

67

I have solved the issue by creating a new group for limited admin rights... name of that group is LimitedAdmins after that I updated the sudoers file as below.

The line I appended is:

%LimitedAdmins ALL=NOPASSWD: /usr/bin/apt-get*, /etc/init.d/apache2 restart

This is the complete /etc/sudoers file: 

# This file MUST be edited with the 'visudo' command as root.    
#   
# Please consider adding local content in /etc/sudoers.d/ instead of directly modifying   his file.   
#   
# See the man page for details on how to write a sudoers file.  
# 
Defaults    env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL  

#includedir /etc/sudoers.d
%domain_name\\administrators ALL=(ALL) ALL
%LimitedAdmins ALL=NOPASSWD: /usr/bin/apt-get*, /etc/init.d/apache2 restart

It works perfectly fine in case if your system is domain or not.

Hrish
  • 2,313
  • 13
  • 42
  • 63
  • You're not supposed to put stuff after the `#includedir` line are you? – hamstar Aug 13 '13 at 02:26
  • @hamstar Hey Hi! Yes you are right, thou I have used this configuration file in my company for more than 2 years now & it works perfectly fine. Even thou I would also recommend, to put the last two lines before `#includedir`. – Hrish Aug 14 '13 at 02:51
  • 10
    Or better, put those two lines into a new file under /etc/sudoers.d instead of editing /etc/sudoers. – tgharold Sep 12 '13 at 17:55
  • @tgharold Yes buddy!! You are right... it is really a better option than what I have suggested... :) Appreciate your idea will try to implement at my place as well. – Hrish Sep 14 '13 at 16:59
  • Is #includedir a comment? Or does the include happen automatically and the comment just reminds us of that? – HeatfanJohn Feb 22 '14 at 17:11
  • Yes, it is comment, but we should un-comment it and use that path to make changes to the sudoer's as that is the best option which is suggested by @tgharold – Hrish Feb 24 '14 at 07:19
  • I don't think you should use apt-get*, the [sudo manual](http://www.sudo.ws/man/sudoers.man.html#x57696c646361726473) advises against using * after commands as they allow _any_ text after the apt-get which might lead to security issues (in my understanding) – EdgeCaseBerg May 15 '15 at 15:28
  • 2
    #includedir /etc/sudoers.d is not a comment. It is an actual config parameter. That is why the space is missing after the hash/pound sign. see: http://www.sudo.ws/man/1.8.13/sudoers.man.html – spkane Jun 23 '15 at 14:25
  • Pay attention to the blank space before each command and after the comma symbol. It's very important, otherwise, you will get " /etc/sudoers: syntax error near line XX" – Jruv Oct 23 '19 at 04:33
15

Looks like comma is what you need.

Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
...
user3 ALL= PRINTING

Source

Karthik T
  • 2,021
  • 1
  • 14
  • 20
  • I have given rights the way you mentioned it however I got the error message as below.
    E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
    E: Unable to lock the administration directory (/var/lib/dpkg/), are you root? ... can anyone help on this?     – Hrish Jan 23 '13 at 09:17
  • @Rishee I will try once I get home – Karthik T Jan 23 '13 at 10:03
  • my sudores file contains below mentioned things. – Hrish Jan 23 '13 at 10:31
  • # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL #includedir /etc/sudoers.d $ sudo nano /etc/sudoers %Domain_Name\\administrators ALL=(ALL) ALL %Domain_Name\\user.name ALL=NOPASSWD: /usr/bin/apt-get install, /etc/init.d/apache2 restart – Hrish Jan 23 '13 at 10:32
5

FWIW, I was wondering the same thing as the OP, and it looks like you can as well just duplicate the lines, e.g.

user_name ALL=NOPASSWD: cmd1
user_name ALL=NOPASSWD: cmd2
user_name ALL=NOPASSWD: cmd3
Chris Browet
  • 151
  • 1
  • 2
3

What I ended up doing was (Similar to what you are looking for):

## PRTG monitoring
Cmnd_Alias PRTG = /bin/cat /proc/loadavg, /bin/df, /var/prtg/scripts/check_proc.sh
prtg ALL = NOPASSWD: PRTG

Inside: /etc/sudoers.d/666-prtg

(666, because... well... prtg IS a windows based monitoring tool you know)

Mark Maas
  • 31
  • 2