sudo - Limit user to execute selective commands (Linux)
2014-07
How can I limit my user to execute selective commands only. I have a user tomc in tomc group. I need this user to be sudo user and then to have restricted bash. I have tried following code in /etc/sudoers
file, but its not working as user is able to execute other commands like mkdir
, rm
%tomc ALL=/bin/bash,/usr/bin/vim /*
You might be going at this the wrong way. Instead of giving a user a 'restricted' bash shell, you should only give them access to the commands they would need to run as root. For example, in your sudoers file:
tomc ALL=(root) /usr/bin/vim /etc/myapp.conf
tomc ALL=(root) /usr/bin/less /var/log/myapp/*.log
Be careful with allowing users to run vim as root. Vim has a lot of features built-in, like escapes to shell and to the ability to run commands from within vim. Depending on your distribution, you might have sudoedit
available. This works the same as a normal Vim, except it's designed to handle shell escapes and such.
There is a toolkit called jailkit.
I have set the following line in the /etc/sudoers
file
sana ALL=NOPASSWD: /usr/bin/wine
As the user sana
, when I execute the command in the shell sudo -u randeel /usr/bin/wine cmd /c wscript some.vbs
, it prompts for a password.
What is wrong here? I don't want a password prompt when I execute the command.
sudo
means "super user do", meaning "perform this command as the super (root) user". If you are not logged on as the root user of your system, using sudo
will ask you for your password, and check that you are in the sudoers file. If both of these checks succeed then you are allowed to execute the command as the root user.
Adding yourself to the sudoers file does not prevent you from having to enter a password to use sudo
, it enables you to use sudo
in the way you are experiencing.
Have you attempted to run /usr/bin/wine as yourself via sudo? What is the outcome?
There is nothing syntactically wrong with your sudo configuration, however, using the -u flag may be interfering with your intended behavior.
If you always wish to execute wine as user randeel rather than the effective sana user you may want to investigate the runas_spec for sudoers. For example:
sana ALL=(randeel) NOPASSWD: /usr/bin/wine
I think sudo is having trouble with the command-line args. Try single quoting the entire /usr...vbs area and adding that entire command as your command alias in sudoers(also single quoted)