Linux/AIX: How to grant sudo commands with options access to a user ?

We usually give sudo access via /etc/sudoers.conf file using visudo command.

However sometimes we need to grant specific command access to users with limited options.

In this case, it is not recommended to do it via “visudo” as it can corrupt the whole sudoers and can break your system.

So today we will look at an interesting tip to achieve this via creating custom command file for a specific user.

1. Goto /etc/sudoers.d directory and create a file with username.

And now add the required commands on which we want to give root access to user with NOPASSWD option if you want user to skip password.

    [root@ngelinux sudoers.d]# cd /etc/sudoers.d; cat oracle
oracle ngelinux = (root) NOPASSWD:/SE/batch/batch_jobs/file_copy.sh
oracle ngelinux = (root) NOPASSWD:/nges/Apps/jdk-11.0.2/bin/java
oracle ngelinux = (root) NOPASSWD:/bin/vi /etc/hosts
oracle ngelinux = (root) NOPASSWD:/bin/vi /etc/hostname
oracle ngelinux = (root) NOPASSWD:/bin/update-ca-trust force-enable
oracle ngelinux = (root) NOPASSWD:/bin/cp ca.cert.pem /etc/pki/ca-trust/source/anchors/
oracle ngelinux = (root) NOPASSWD:/bin/update-ca-trust extract
oracle ngelinux = (root) NOPASSWD:/bin/vi /var/lib/kubelet/config.yaml
oracle ngelinux = (root) NOPASSWD:/bin/systemctl daemon-reload
oracle ngelinux = (root) NOPASSWD:/bin/systemctl restart kubelet
oracle ngelinux = (root) NOPASSWD:/bin/systemctl restart docker
oracle ngelinux = (root) NOPASSWD:/bin/systemctl status kubelet -l
oracle ngelinux = (root) NOPASSWD:/bin/systemctl status docker -l
oracle ngelinux = (root) NOPASSWD:/bin/systemctl enable kubelet
oracle ngelinux = (root) NOPASSWD:/bin/systemctl enable docker.service
oracle ngelinux = (root) NOPASSWD:/bin/systemctl enable containerd.service
oracle ngelinux = (root) NOPASSWD:/bin/yum --disablerepo=* localinstall *.rpm
oracle ngelinux = (root) NOPASSWD:/bin/cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
oracle ngelinux = (root) NOPASSWD:/bin/cp bsfdeploy /usr/local/bin
oracle ngelinux = (root) NOPASSWD:/nges/Apps/ngeapp/519/st/core/bin/share/nges_config
oracle ngelinux = (root) NOPASSWD:/nges/Apps/oracle/setup_deploy.sh -k ~/.kube/config -i pdi_input_manifest.yaml


[root@ngelinux sudoers.d]# pwd
/etc/sudoers.d

[root@ngelinux sudoers.d]# ls -ltr
total 16
-r--r-----. 1 root root  547 Mar 23  2018 deploy
-r--r-----. 1 root root   87 Feb 19  2019 nges_config
-r--r-----. 1 root root  123 May  9  2019 qualys
-r--r-----. 1 root root 1524 May 12 10:33 oracle
[root@ngelinux sudoers.d]#

 

2. Now check the given sudo access.

Switch to that particular user and check the access list if the added commands in the file is reflected and if they are working fine.

[root@ngelinux ~]# su - oracle
Last login: Wed May 12 15:26:33 BST 2021 from ngelinux3.ngelgroup.net on pts/7

This system is clustered do not shutdown the app oustide of the cluster!
[oracle@ngelinux ~]$ sudo -l
Matching Defaults entries for oracle on ngelinux:
    !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User oracle may run the following commands on ngelinux:
    (root) NOPASSWD: /nges/Apps/ngeapp/519/core/bin/share/nges_config
    (root) NOPASSWD: /SE/batch/batch_jobs/file_copy.sh
    (root) NOPASSWD: /nges/Apps/jdk-11.0.2/bin/java
    (root) NOPASSWD: /bin/vi /etc/hosts
    (root) NOPASSWD: /bin/vi /etc/hostname
    (root) NOPASSWD: /bin/update-ca-trust force-enable
    (root) NOPASSWD: /bin/cp ca.cert.pem /etc/pki/ca-trust/source/anchors/
    (root) NOPASSWD: /bin/update-ca-trust extract
    (root) NOPASSWD: /bin/vi /var/lib/kubelet/config.yaml
    (root) NOPASSWD: /bin/systemctl daemon-reload
    (root) NOPASSWD: /bin/systemctl restart kubelet
    (root) NOPASSWD: /bin/systemctl restart docker
    (root) NOPASSWD: /bin/systemctl status kubelet -l
    (root) NOPASSWD: /bin/systemctl status docker -l
    (root) NOPASSWD: /bin/systemctl enable kubelet
    (root) NOPASSWD: /bin/systemctl enable docker.service
    (root) NOPASSWD: /bin/systemctl enable containerd.service
    (root) NOPASSWD: /bin/yum --disablerepo\=* localinstall *.rpm
    (root) NOPASSWD: /bin/cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    (root) NOPASSWD: /bin/cp bsfdeploy /usr/local/bin
    (root) NOPASSWD: /nges/Apps/ngeapp/519/st/core/bin/share/nges_config
    (root) NOPASSWD: /nges/Apps/oracle/setup_deploy.sh -k ~/.kube/config -i pdi_input_manifest.yaml
[oracle@ngelinux ~]$

Leave a Reply

Your email address will not be published.