Skip to main content
Super User

Return to Question

replaced http://superuser.com/ with https://superuser.com/
Source Link
Community Bot
Community Bot
  • 1

I've been attempting to set up a whitelist of commands a user can run on my system. The server I'm using is running CentOS 7. What is the syntax that should be used to only allow a certain group of commands and arguments to be run as sudo for a user? I'd also like for sudo to not require a password when calling these commands.

I've tried:

  1. user ALL=/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  2. user ALL=(user:group) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  3. user ALL=(user) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  4. user ALL=(/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2) NOPASSWD: ALL

All of those attempts have resulted in a syntax error in the /etc/sudoers file.

I've looked at this question: How to prevent sudo users from running specific commands?How to prevent sudo users from running specific commands? and also read this guide: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos. The question seems to indicate that the first attempt should have worked, while the guide seems to indicate that the second attempt should have worked. So what does work?

I've been attempting to set up a whitelist of commands a user can run on my system. The server I'm using is running CentOS 7. What is the syntax that should be used to only allow a certain group of commands and arguments to be run as sudo for a user? I'd also like for sudo to not require a password when calling these commands.

I've tried:

  1. user ALL=/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  2. user ALL=(user:group) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  3. user ALL=(user) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  4. user ALL=(/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2) NOPASSWD: ALL

All of those attempts have resulted in a syntax error in the /etc/sudoers file.

I've looked at this question: How to prevent sudo users from running specific commands? and also read this guide: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos. The question seems to indicate that the first attempt should have worked, while the guide seems to indicate that the second attempt should have worked. So what does work?

I've been attempting to set up a whitelist of commands a user can run on my system. The server I'm using is running CentOS 7. What is the syntax that should be used to only allow a certain group of commands and arguments to be run as sudo for a user? I'd also like for sudo to not require a password when calling these commands.

I've tried:

  1. user ALL=/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  2. user ALL=(user:group) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  3. user ALL=(user) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  4. user ALL=(/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2) NOPASSWD: ALL

All of those attempts have resulted in a syntax error in the /etc/sudoers file.

I've looked at this question: How to prevent sudo users from running specific commands? and also read this guide: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos. The question seems to indicate that the first attempt should have worked, while the guide seems to indicate that the second attempt should have worked. So what does work?

Source Link
edrw
edrw
  • 153
  • 1
  • 6

Whitelisting commands a user can use with sudo

I've been attempting to set up a whitelist of commands a user can run on my system. The server I'm using is running CentOS 7. What is the syntax that should be used to only allow a certain group of commands and arguments to be run as sudo for a user? I'd also like for sudo to not require a password when calling these commands.

I've tried:

  1. user ALL=/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  2. user ALL=(user:group) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  3. user ALL=(user) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  4. user ALL=(/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2) NOPASSWD: ALL

All of those attempts have resulted in a syntax error in the /etc/sudoers file.

I've looked at this question: How to prevent sudo users from running specific commands? and also read this guide: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos. The question seems to indicate that the first attempt should have worked, while the guide seems to indicate that the second attempt should have worked. So what does work?