linux - Adding sudoer for all but root

07
2014-07
  • golbarg

    Here is the base of my problem: I would like to add sudo rights to a user, but not to use it as root for security reasons.

    I have a PHP script needing to run a command (drush) through exec(). However, the PHP is run as a user and I want the command to be executed as another user. This is required because if not, there is a permission problem to write in the other user's directory.

    The drush command itself works, I've made it available to all users.

    The current user (A) is a cPanel reseller that created the other account/user (B).

    I can run exec('ls -la') as user A and it will return the CWD's contents as long as we are in user A's home directory. The same code with added sudo fails as user A is not in the sudoers list.

    The final command downloads files to user B's directory and looks like: '<pwd> | sudo -S -u <usrB> drush dl drupal <irrelevant options>'

    -S is supposed to automatically execute the command as user B using his password.

    Running the exact same command as root works perfectly.

    I wanted to know if there is a way to add user A to the sudoers without access as root, and if that would be safe to prevent potential security flaws. If it isn't possible, are there alternatives? I saw one could exclude directories from sudoers using !, but then I realized that this would be quite flawed.

    Please note that I'm a developer, so even though I know some basics, I'm not a pro. Server is running CentOS 6.5, WHM/cPanel, and I have root access if needed. The idea is that a one-time setup will prevent configuration upon new user creation.

    • Answers
  • driz

    CentOS 6.5 has examples in the default sudoers file.. assuming the user is "user_a" and the command you want to run is ls, but only on the local host

    user_a localhost=/bin/ls

    if you want multiple commands separate the commands with a comma

    for more information man sudoers has examples. http://www.sudo.ws/sudoers.man.html


    • Related Question

    linux - Changed sudoers file and cant open it anymore; cant open any file using root
  • Questioner

    I changed settings in sudoers file using 

    sudo visudo

    and messed it up. Now when I try to do it again or open any file using sudo, I cant open it anymore and I get this error message,

    >>> sudoers file: syntax error, line 7 
 What now?

    is there any way to get out of this problem (to revert the settings), or do I need to install fresh copy of linux ?

    The reason I got all this is I pressed "Q" while it was telling me there was some error, which was very stupid of me.

    Thanks.

    EDIT

    my sudoers file is no differnt than normal sudoers file. I just added timestamp_timeout = 0 line in that file and all this problem arised. I did what James suggested and even removed that line (timestamp_timeout = 0). I changed file permission to 0440 which it requested, and then boot normally. Then, I get the same error message 

    sudoers file: syntax error, line 7 
sudo: parse error in /etc/sudoers near line 7
    as above.

    What should I do now ??

    EDIT 2 Solved

    This is what I did

    1. Boot using livecd
    2. Remove the old sudoers file
    3. made new sudoers file and copied everything to that file i.e. minimum configuration settings, which I luckily had saved in another file
    4. changed file permission to 0440
    5. Reboot again normally from harddrive

    Hurray !!


    • Related Answers
  • James

    Assuming you didn't give the root user a password then the easiest way to fix this is with a live cd such as Knoppix. Boot of the CD. Mount the local disc, edit the file, unmount the disc and reboot.

  • Andrioid

    Simple, boot the computer in 'single user mode' by doing the following steps:

    1. Reboot
    2. When Grub starts, press ESC (or escape)
    3. Press 'e' for editing the current line
    4. Add 'single' to end of the line containing 'linux'
    5. Boot (press b)

    This will start the computer with only one user, root. From there follow these steps:

    1. /usr/bin/vim /etc/sudoers (or use nano, might be easier for you) to fix the problem
    2. If you're unsure of the problem, try copying the included example of sudoers from "/usr/share/doc/sudo/examples" (varies) and of course add your user there.
    3. Save the file, exit Vim
    4. Reboot, enjoy!
  • Telemachus

    James' idea to use a live cd (assuming the root account is not enabled) is a good one. I would add a few points.

    • First, you might get lucky and a backup of the /etc/sudoers file was automatically saved when you were editing it. Check in /etc for a file that looks like this sudoers~ (you can cd to that directory and run ls -A without root privileges, even if you can't read or edit the files as a regular user).Some editors will create such a backup if at all possible, so you may have one without having created it explicitly.
    • Second, if you have no idea how to edit the file, you might consider posting it (or the area around line 7) here or elsewhere. Although the file itself has to do with security, there aren't passwords in it, so there's no immediate harm in posting it.
    • Last, note that an error message like the one you saw doesn't necessarily mean that the problem itself is literally on line 7. The error might be on line 4, but only got tripped off, so to speak, on line 7.
  • Torandi

    Try pressing e, for edit. This should let you edit the file and correct the errors.