MDLog:/sysadmin

The Journal Of A Linux Sysadmin

Linux Tips: The Proper Way to Allow Regular Users to Run Commands as Root

| Comments

There are many situations when you will need regular users to have more privileges than the normal user account they have. What situations? This will depend very much on a case by case basis but believe me there will be such cases… For example if a regular user needs to run a program that will change some some protected folder or file, or just a special root command (like shutdown for example). What can be done in such situations? Well this depends: if you can go around it by assigning proper file/folder permission then this is great. But if not:

  • you can give them the root password and place them in the group allowed to ‘su’ and you are done. I never liked this option as it will allow them to do anything on the system, and this is not what we were trying to achieve.

  • you can use a program like sudo, to fine tune the proper commands that you will allow the user to run. This is more likely what I would do in this situation…

So the magical solution to this problem is sudo (superuser do), a program that allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user. And all the commands will be logged for your reference.

The installation, in case you don’t already have sudo on the system, is very simple, but in case you want it you can check out some simple details about installing sudo on Debian, or Rhel, Fedora, Centos, and some details about the configuration files location and default state.

Basically what we need is to: define the commands, define the users and assign what commands are allowed to each user defined. Everything is pretty straitforth and well documented in the manual page, but here is a simple example to see it better: let say that we want a regular user called ‘webadmin’ to run as root a shell script that will call rsync for backup purposes.

Let’s define the user alias (not really needed but on more complex configurations can be very useful). In the user alias section we put:

# User alias specification
User_Alias      WEBADMIN = webadmin

Now let’s define the commands this user will be allowed to run. In the command alias section we enter:

# Cmnd alias specification
Cmnd_Alias      CMD_SYNC = /usr/bin/rsync

And the last thing is to assign to the user alias created the command allowed:

# User privilege specification
WEBADMIN        ALL = NOPASSWD: CMD_SYNC

Since I have entered the parameter NOPASSWD this will not ask the user for any password while running the command. If this is not used the user will be required to enter its regular password (not very useful). The configuration file for this example looks like this:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification
User_Alias      WEBADMIN = webadmin

# Cmnd alias specification
Cmnd_Alias      CMD_SYNC = /usr/bin/rsync

# User privilege specification
root    ALL=(ALL) ALL

WEBADMIN        ALL = NOPASSWD: CMD_SYNC

Now each time the user ‘webadmin’ will launch the rsync command with sudo it will be running it with root privileges:

sudo rsync --delete -va --exclude=upload/* /www/livesite/ /backup/www

This can have many usages based on the needs: like, you can allow an unprivileged user to be able to reboot the system if needed (shutdown) or update the system (apt, up2date, yum), etc. I just wanted to show you what you can do with this program and a simple example of usage.

Are you already using sudo on your servers to allow normal users to run some commands as root? Let me know what have you achieved with it and I will include it here as more examples of usage.

Comments