sudo - Limit user to execute selective commands (Linux)

07
2014-07
  • newbie17

    How can I limit my user to execute selective commands only. I have a user tomc in tomc group. I need this user to be sudo user and then to have restricted bash. I have tried following code in /etc/sudoers file, but its not working as user is able to execute other commands like mkdir, rm

    %tomc ALL=/bin/bash,/usr/bin/vim /*
    • Answers
  • mtak

    You might be going at this the wrong way. Instead of giving a user a 'restricted' bash shell, you should only give them access to the commands they would need to run as root. For example, in your sudoers file:

    tomc ALL=(root) /usr/bin/vim /etc/myapp.conf
tomc ALL=(root) /usr/bin/less /var/log/myapp/*.log

    Be careful with allowing users to run vim as root. Vim has a lot of features built-in, like escapes to shell and to the ability to run commands from within vim. Depending on your distribution, you might have sudoedit available. This works the same as a normal Vim, except it's designed to handle shell escapes and such.

  • Seasoned Advice (cooking)

    There is a toolkit called jailkit.

    Take a look at its documentation page.


    • Related Question

    linux - sudo command requires password under Wine?
  • rana123

    I have set the following line in the /etc/sudoers file

    sana ALL=NOPASSWD: /usr/bin/wine

    As the user sana, when I execute the command in the shell sudo -u randeel /usr/bin/wine cmd /c wscript some.vbs, it prompts for a password.

    What is wrong here? I don't want a password prompt when I execute the command.


    • Related Answers
  • Marcus Whybrow

    sudo means "super user do", meaning "perform this command as the super (root) user". If you are not logged on as the root user of your system, using sudo will ask you for your password, and check that you are in the sudoers file. If both of these checks succeed then you are allowed to execute the command as the root user.

    Adding yourself to the sudoers file does not prevent you from having to enter a password to use sudo, it enables you to use sudo in the way you are experiencing.

  • Tok

    Have you attempted to run /usr/bin/wine as yourself via sudo? What is the outcome?

    There is nothing syntactically wrong with your sudo configuration, however, using the -u flag may be interfering with your intended behavior.

    If you always wish to execute wine as user randeel rather than the effective sana user you may want to investigate the runas_spec for sudoers. For example:

    sana ALL=(randeel) NOPASSWD: /usr/bin/wine

  • hbdgaf

    I think sudo is having trouble with the command-line args. Try single quoting the entire /usr...vbs area and adding that entire command as your command alias in sudoers(also single quoted)