5

I've been attempting to set up a whitelist of commands a user can run on my system. The server I'm using is running CentOS 7. What is the syntax that should be used to only allow a certain group of commands and arguments to be run as sudo for a user? I'd also like for sudo to not require a password when calling these commands.

I've tried:

  1. user ALL=/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  2. user ALL=(user:group) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  3. user ALL=(user) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  4. user ALL=(/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2) NOPASSWD: ALL

All of those attempts have resulted in a syntax error in the /etc/sudoers file.

I've looked at this question: How to prevent sudo users from running specific commands? and also read this guide: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos. The question seems to indicate that the first attempt should have worked, while the guide seems to indicate that the second attempt should have worked. So what does work?

Improve this question

1 Answer 1

Reset to default
3

Try to add something like this:

user ALL = (root) NOPASSWD: /bin/cmd1 args, /bin/cmd2 args

On the above line:

  • user is the user that needs access to the commands
  • /bin/cmd1 args, /bin/cmd2 args are the commands
  • root is the user under which the commands will be executed
Improve this answer
5
  • Still results in a syntax error on that line when I save the file
    – edrw
    Commented Nov 23, 2015 at 14:03
  • I got sudo user and commands mixed up. Try with the edit format
    – cristi
    Commented Nov 23, 2015 at 16:28
  • So one of the commands I'm trying to whitelist is a /bin/chown user:group /some/folder and apparently the unescaped colon was causing a syntax error.
    – edrw
    Commented Nov 23, 2015 at 22:18
  • What is root specifying here? It works with 'user ALL=NOPASSWD: /bin/cmd args, /bin/cmd2 args' as well.
    – edrw
    Commented Nov 24, 2015 at 0:48
  • 2
    And ALL specifies that the rule applies on all hosts (if you were to copy the file elsewhere, for example), for anyone who is curious.
    – Steen Schütt
    Commented Aug 21, 2020 at 10:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .