Thursday, December 23, 2010
Sudo access to a specific command set
Lets say we have a requirement to give sudo access only to a particular command set. Let’s take couple of scenarios like this:
1. We want to give privilege to DBA team to mount/umount ONLY a particular filesystem ( /oracle_data) but we don’t want them to mount/umount other filesystem.
2. We want to give privilege to NOC team to start/stop ONLY the httpd service but we don’t want them to start/stop other services.
The syntax in /etc/sudoers file should be as follows:
%dbateam ALL=(ALL) NOPASSWD: /bin/mount /oracle_data, /bin/umount /oracle_data
%nocteam ALL=(ALL) NOPASSWD: /sbin/service httpd start, /sbin/service httpd stop, /sbin/service httpd status
Having set like this, the respective team members can execute the commands as follows:
# sudo /bin/mount /oracle_data # Works
# sudo /bin/umount /oracle_data # Works
# sudo /bin/mount /other_filesystem # This will fail
# sudo /sbin/service httpd start # Works
# sudo /sbin/service httpd stop # Works
# sudo /sbin/service httpd restart # Fails. Since restart is not specified
# sudo /sbin/service nfs start # This will fail