Linux/AIX: How to grant sudo commands with options access to a user ?
We usually give sudo access via /etc/sudoers.conf file using visudo command.
However sometimes we need to grant specific command access to users with limited options.
In this case, it is not recommended to do it via “visudo” as it can corrupt the whole sudoers and can break your system.
So today we will look at an interesting tip to achieve this via creating custom command file for a specific user.
1. Goto /etc/sudoers.d directory and create a file with username.
And now add the required commands on which we want to give root access to user with NOPASSWD option if you want user to skip password.
[root@ngelinux sudoers.d]# cd /etc/sudoers.d; cat oracle oracle ngelinux = (root) NOPASSWD:/SE/batch/batch_jobs/file_copy.sh oracle ngelinux = (root) NOPASSWD:/nges/Apps/jdk-11.0.2/bin/java oracle ngelinux = (root) NOPASSWD:/bin/vi /etc/hosts oracle ngelinux = (root) NOPASSWD:/bin/vi /etc/hostname oracle ngelinux = (root) NOPASSWD:/bin/update-ca-trust force-enable oracle ngelinux = (root) NOPASSWD:/bin/cp ca.cert.pem /etc/pki/ca-trust/source/anchors/ oracle ngelinux = (root) NOPASSWD:/bin/update-ca-trust extract oracle ngelinux = (root) NOPASSWD:/bin/vi /var/lib/kubelet/config.yaml oracle ngelinux = (root) NOPASSWD:/bin/systemctl daemon-reload oracle ngelinux = (root) NOPASSWD:/bin/systemctl restart kubelet oracle ngelinux = (root) NOPASSWD:/bin/systemctl restart docker oracle ngelinux = (root) NOPASSWD:/bin/systemctl status kubelet -l oracle ngelinux = (root) NOPASSWD:/bin/systemctl status docker -l oracle ngelinux = (root) NOPASSWD:/bin/systemctl enable kubelet oracle ngelinux = (root) NOPASSWD:/bin/systemctl enable docker.service oracle ngelinux = (root) NOPASSWD:/bin/systemctl enable containerd.service oracle ngelinux = (root) NOPASSWD:/bin/yum --disablerepo=* localinstall *.rpm oracle ngelinux = (root) NOPASSWD:/bin/cp -i /etc/kubernetes/admin.conf $HOME/.kube/config oracle ngelinux = (root) NOPASSWD:/bin/cp bsfdeploy /usr/local/bin oracle ngelinux = (root) NOPASSWD:/nges/Apps/ngeapp/519/st/core/bin/share/nges_config oracle ngelinux = (root) NOPASSWD:/nges/Apps/oracle/setup_deploy.sh -k ~/.kube/config -i pdi_input_manifest.yaml [root@ngelinux sudoers.d]# pwd /etc/sudoers.d [root@ngelinux sudoers.d]# ls -ltr total 16 -r--r-----. 1 root root 547 Mar 23 2018 deploy -r--r-----. 1 root root 87 Feb 19 2019 nges_config -r--r-----. 1 root root 123 May 9 2019 qualys -r--r-----. 1 root root 1524 May 12 10:33 oracle [root@ngelinux sudoers.d]#
2. Now check the given sudo access.
Switch to that particular user and check the access list if the added commands in the file is reflected and if they are working fine.
[root@ngelinux ~]# su - oracle Last login: Wed May 12 15:26:33 BST 2021 from ngelinux3.ngelgroup.net on pts/7 This system is clustered do not shutdown the app oustide of the cluster! [oracle@ngelinux ~]$ sudo -l Matching Defaults entries for oracle on ngelinux: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User oracle may run the following commands on ngelinux: (root) NOPASSWD: /nges/Apps/ngeapp/519/core/bin/share/nges_config (root) NOPASSWD: /SE/batch/batch_jobs/file_copy.sh (root) NOPASSWD: /nges/Apps/jdk-11.0.2/bin/java (root) NOPASSWD: /bin/vi /etc/hosts (root) NOPASSWD: /bin/vi /etc/hostname (root) NOPASSWD: /bin/update-ca-trust force-enable (root) NOPASSWD: /bin/cp ca.cert.pem /etc/pki/ca-trust/source/anchors/ (root) NOPASSWD: /bin/update-ca-trust extract (root) NOPASSWD: /bin/vi /var/lib/kubelet/config.yaml (root) NOPASSWD: /bin/systemctl daemon-reload (root) NOPASSWD: /bin/systemctl restart kubelet (root) NOPASSWD: /bin/systemctl restart docker (root) NOPASSWD: /bin/systemctl status kubelet -l (root) NOPASSWD: /bin/systemctl status docker -l (root) NOPASSWD: /bin/systemctl enable kubelet (root) NOPASSWD: /bin/systemctl enable docker.service (root) NOPASSWD: /bin/systemctl enable containerd.service (root) NOPASSWD: /bin/yum --disablerepo\=* localinstall *.rpm (root) NOPASSWD: /bin/cp -i /etc/kubernetes/admin.conf $HOME/.kube/config (root) NOPASSWD: /bin/cp bsfdeploy /usr/local/bin (root) NOPASSWD: /nges/Apps/ngeapp/519/st/core/bin/share/nges_config (root) NOPASSWD: /nges/Apps/oracle/setup_deploy.sh -k ~/.kube/config -i pdi_input_manifest.yaml [oracle@ngelinux ~]$