We have several tier2 admins whom have very limited admin rights granted via sudo; As they have limited experience we really want to put them into a tight set of operations they can perform.

One of their tasks generally involves copying something to a sub directory of a root directory, say /data.

This directory is owned by another user and group as it is primarily accessing it and manipulates its contents.

If I grant them sudo cp access however I do leave the system open somewhat as they could over write a file anywhere on the sysyem whereas I only need them to be able to copy someting into /data and below.

Is it possible to allow sudo access to cp but only in a limited use case, I'm currently thinking not without my creating a script.

Another alternative is to establish a secured ftp service and grant them access that way. Thoughts welcome.

3 Answers 3


The normal solution here is to make data belong to a group that only the tier2 admins belong to. If you have ACL then this could also be used.

  • I think the ACL option may be more viable and flexible in the long term plust I've not played with it for some time. Thanks for the answer, amazing what one forgets.
    – AJM
    Commented Jul 16, 2010 at 13:10

The prefferred way to do this is to define a clever and stable group of permissions that allow any actor access the files as needed, but it is possible grant sudo access to cp with certain parameters in the sudoers file. According to its EBNF definition in man page, section "Aliases".

commandname ::= file name |
             file name args |
             file name '""'

These command arguments also allow to use wildcards for argument string matching (see man page again)

This means you can add to sudoers something like this:

user1 ALL= /bin/cp * /protected/path/dir*

in order to allow user1to copy any file to the /protected/path/dir and any of it's subdirs as root


If this was a cp that is triggered by a certain event or condition, I would script it and let cron take care of the file copies.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .