linux - Adding sudoer for all but root
2014-07
Here is the base of my problem: I would like to add sudo
rights to a user, but not to use it as root
for security reasons.
I have a PHP script needing to run a command (drush
) through exec()
. However, the PHP is run as a user and I want the command to be executed as another user. This is required because if not, there is a permission problem to write in the other user's directory.
The drush
command itself works, I've made it available to all users.
The current user (A) is a cPanel reseller that created the other account/user (B).
I can run exec('ls -la')
as user A and it will return the CWD's contents as long as we are in user A's home directory. The same code with added sudo
fails as user A is not in the sudoers list.
The final command downloads files to user B's directory and looks like:
'<pwd> | sudo -S -u <usrB> drush dl drupal <irrelevant options>'
-S
is supposed to automatically execute the command as user B using his password.
Running the exact same command as root works perfectly.
I wanted to know if there is a way to add user A to the sudoers without access as root, and if that would be safe to prevent potential security flaws. If it isn't possible, are there alternatives? I saw one could exclude directories from sudoers using !
, but then I realized that this would be quite flawed.
Please note that I'm a developer, so even though I know some basics, I'm not a pro. Server is running CentOS 6.5, WHM/cPanel, and I have root access if needed. The idea is that a one-time setup will prevent configuration upon new user creation.
CentOS 6.5 has examples in the default sudoers file.. assuming the user is "user_a" and the command you want to run is ls, but only on the local host
user_a localhost=/bin/ls
if you want multiple commands separate the commands with a comma
for more information man sudoers has examples. http://www.sudo.ws/sudoers.man.html
I changed settings in sudoers file using
sudo visudo
and messed it up. Now when I try to do it again or open any file using sudo, I cant open it anymore and I get this error message,
>>> sudoers file: syntax error, line 7 What now?
is there any way to get out of this problem (to revert the settings), or do I need to install fresh copy of linux ?
The reason I got all this is I pressed "Q" while it was telling me there was some error, which was very stupid of me.
Thanks.
EDIT
my sudoers file is no differnt than normal sudoers file. I just added timestamp_timeout = 0 line in that file and all this problem arised. I did what James suggested and even removed that line (timestamp_timeout = 0). I changed file permission to 0440 which it requested, and then boot normally. Then, I get the same error message
sudoers file: syntax error, line 7
sudo: parse error in /etc/sudoers near line 7
as above.
What should I do now ??
EDIT 2 Solved
This is what I did
- Boot using livecd
- Remove the old sudoers file
- made new sudoers file and copied everything to that file i.e. minimum configuration settings, which I luckily had saved in another file
- changed file permission to 0440
- Reboot again normally from harddrive
Hurray !!
Assuming you didn't give the root user a password then the easiest way to fix this is with a live cd such as Knoppix. Boot of the CD. Mount the local disc, edit the file, unmount the disc and reboot.
Simple, boot the computer in 'single user mode' by doing the following steps:
- Reboot
- When Grub starts, press ESC (or escape)
- Press 'e' for editing the current line
- Add 'single' to end of the line containing 'linux'
- Boot (press b)
This will start the computer with only one user, root. From there follow these steps:
- /usr/bin/vim /etc/sudoers (or use nano, might be easier for you) to fix the problem
- If you're unsure of the problem, try copying the included example of sudoers from "/usr/share/doc/sudo/examples" (varies) and of course add your user there.
- Save the file, exit Vim
- Reboot, enjoy!
James' idea to use a live cd (assuming the root account is not enabled) is a good one. I would add a few points.
- First, you might get lucky and a
backup of the /etc/sudoers file was
automatically saved when you were
editing it. Check in /etc for a
file that looks like this
sudoers~
(you cancd
to that directory and runls -A
without root privileges, even if you can't read or edit the files as a regular user).Some editors will create such a backup if at all possible, so you may have one without having created it explicitly. - Second, if you have no idea how to edit the file, you might consider posting it (or the area around line 7) here or elsewhere. Although the file itself has to do with security, there aren't passwords in it, so there's no immediate harm in posting it.
- Last, note that an error message like the one you saw doesn't necessarily mean that the problem itself is literally on line 7. The error might be on line 4, but only got tripped off, so to speak, on line 7.
Try pressing e, for edit. This should let you edit the file and correct the errors.