Thursday, December 23, 2010

Sudo access to a specific command set

Lets say we have a requirement to give sudo access only to a particular command set.  Let’s take couple of scenarios like this:

1.   We want to give privilege to DBA team to mount/umount ONLY a particular filesystem ( /oracle_data) but  we don’t want them to mount/umount other filesystem.
2.   We want to give privilege to NOC team to start/stop ONLY the httpd service but we don’t want them to start/stop other services.

The syntax in /etc/sudoers file should be as follows:

%dbateam          ALL=(ALL) NOPASSWD:  /bin/mount /oracle_data, /bin/umount /oracle_data

%nocteam          ALL=(ALL) NOPASSWD:  /sbin/service httpd start, /sbin/service httpd stop, /sbin/service httpd status

Having set like this, the respective team members can execute the commands as follows:

# sudo /bin/mount /oracle_data      # Works
# sudo /bin/umount /oracle_data    # Works

# sudo /bin/mount /other_filesystem     # This will fail

# sudo /sbin/service httpd start       #  Works
# sudo /sbin/service httpd stop       #  Works
# sudo /sbin/service httpd restart   #   Fails. Since restart is not specified

# sudo /sbin/service nfs start           #  This will fail

No comments:

Post a Comment