1

I have an entry in /etc/sudo for a user who can execute sudo for all commands.

fred ALL=(ALL:ALL) ALL

As per the documentation the final ALL is responsible for allowing access to all commands.

I would like fred to be able to execute a restart of nginx on Ubuntu 14.04 without supplying a sudo password, while still retaining the ability to invoke sudo for other commands. The sudoers documentation isn't clear, but I believe

fred ALL=(ALL) NOPASSWD: /usr/sbin/service

only lets fred run one command. I want to give fred the ability to run all commands as root via sudo, with all except /usr/sbin/service requiring a password.

Looking at the documentation's BNF

User_Spec ::= User_List Host_List '=' Cmnd_Spec_List  (':' Host_List '=' Cmnd_Spec_List)*   

Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List

Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd 
 
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' 

SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') 

Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')   

Tag_Spec ::= ('EXEC:' |
              'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
              'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
              'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
              'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')

it appears that I may be able to use multiple Cmnd_Spec_Lists thus

fred ALL=(ALL : ALL) ALL, NOPASSWD: /usr/sbin/service

But the documentation doesn't say that the latter NOPASSWD: Cmnd_Spec will override the ALL command root access for only that command.

It's the kind of thing I like to get right first time, can anyone confirm please that the last line will work (or, alternately, say it wont work) for the specific purpose in hand please?

Further if it works to allow fred to run service without a sudo password, is there a way I can restrict the arguments to service, so fred can only work without a password on service nginx, or even better, so fred can only restart that server without a password?

Thanks.

Improve this question

2 Answers 2

Reset to default
1

Commands at the bottom of the config override ones above. It is mentioned in the documentation at https://www.sudo.ws/man/1.8.15/sudoers.man.html#SUDOERS_FILE_FORMAT that it is not most to least specific, unless you put them in order that way.

I do this using multiple lines. Multiple lines and rules are easier to read and understand in the future, when things get more complicated. Multiple lines can help you to set the order.

# I don't know what order this is interpreted in:
fred ALL=(ALL : ALL) ALL, NOPASSWD: /usr/sbin/service

# I do know what order this is interpreted in:
fred ALL=(ALL) ALL
fred ALL=(ALL) NOPASSWD: /usr/sbin/service

The following lines come from my sudoers file. Allowing members of the group wheel to run all commands, then specifically run commands in the REBOOT alias without a password.

Cmnd_Alias      REBOOT = /sbin/halt, /sbin/reboot, \
                         /sbin/poweroff, /sbin/shutdown
%wheel ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: REBOOT

Unfortunately I don't have much public documentation to point you to. The sudoers man page is ridiculous. I did read a great (easy to read) book on it awhile ago (Sudo Mastery by Michael W. Lucas) and this example works for me on multiple Linux & BSD machines.

Improve this answer
0

Hi This could work Try this login as root and follow below commands $append the below lines in sudoers file

fred ALL=(ALL)NOPASSWD:ALL

Improve this answer
1
  • This is not the answer to what I asked, what you suggest Sudheer gives fred the ability to run all commands via sudo without being asked for a password. But thanks.
    – reboot
    Commented Jun 22, 2016 at 6:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .