I have an entry in /etc/sudo for a user who can execute sudo for all commands.
fred ALL=(ALL:ALL) ALL
As per the documentation the final ALL is responsible for allowing access to all commands.
I would like fred to be able to execute a restart of nginx on Ubuntu 14.04 without supplying a sudo password, while still retaining the ability to invoke sudo for other commands. The [sudoers][1]sudoers documentation isn't clear, but I believe
fred ALL=(ALL) NOPASSWD: /usr/sbin/service
only lets fred run one command. I want to give fred the ability to run all commands as root via sudo, with all except /usr/sbin/service requiring a password.
Looking at the documentation's BNF
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List (':' Host_List '=' Cmnd_Spec_List)*
Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
Tag_Spec ::= ('EXEC:' |
'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
it appears that I may be able to use multiple Cmnd_Spec_Lists thus
fred ALL=(ALL : ALL) ALL, NOPASSWD: /usr/sbin/service
But the documentation doesn't say that the latter NOPASSWD: Cmnd_Spec will override the ALL command root access for only that command.
It's the kind of thing I like to get right first time, can anyone confirm please that the last line will work (or, alternately, say it wont work) for the specific purpose in hand please?
Further if it works to allow fred to run service without a sudo password, is there a way I can restrict the arguments to service, so fred can only work without a password on service nginx, or even better, so fred can only restart that server without a password?
Thanks. [1]: https://help.ubuntu.com/community/Sudoers
