Let’s Geek Out! Sharing access to specific root commands in your server
Have you ever wanted to provide a user with the ability to restart an apache server, reboot a machine or run a yup or apt update, without giving away the server password?
Well, it’s possible. You can allow a user to run a command as sudo, without giving actual sudo privileges, by using the sudoers file.
In this article we’ll run through how to do it and what you need to be cautious of in the process.
What is the ‘sudoers’ file?
The sudo configuration file, otherwise known as the ‘sudoers file’, allocates system rights or privileges to users of a Linux or Unix system (”su” is short for super user and “do” literally means do [super user do].
The user will be granted super user or root privileges, which means they’re authorised to execute commands and access resources on a device, without limitation.
How to give system access using the sudoers file
As an administrator, you can edit the sudoers file to grant users rights to run particular programs.
The user's name needs to appear on a list that Linux checks to ensure they’re allowed said privileges, (if their name doesn’t appear, no privileges are granted).
Granting these limited privileges, using the sudoers file, helps keep your system safe.
A word of warning before you start...
Before you give away system access, consider the Principle of Least Privilege. This foundational IT guideline states that:
This means, to maintain the sanctity of your system, you should give the least amount of access to it as possible.
So before implementing some of the commands given in this tutorial, take a moment to ponder why the command requires root privileges in the first place. Elevated privileges are usually there for a reason. Make sure you’ve thought it through before changing it.
Also, remember that some commands might have the option to run more commands, so be meticulous about what you’re giving users access to. (You might think allowing a user to run vim or less as root will just allow them to edit or read a file, but both these commands will actually allow the user to run additional bash commands, which would run as sudo as well!)
Now let’s look into how to edit the sudoers file.
Editing the sudoers file
If you have sudo on your system, whether on a server or on your laptop, you‘ll have a sudoers file, located at /etc/sudoers, and this is what you’ll edit to grant user access.
It’s recommended you use the visudo command to do this. The visudo command:
- ensures the sudoer file isn’t edited by more than one person at a time (if two people edit the file simultaneously, one user may lose their edits).
- checks the syntax of edits to ensure there are no errors, before saving the file.
Syntax errors whilst editing the sudoers file could result in you being locked out of the system, or rendering your system entirely unusable, so it’s something you certainly want to avoid.
Using the visudo command
Running visudo will open the /etc/sudoers file in the vi editor by default, unless you have something else set up
To run the file regularly/with vi, use:
$ sudo visudo
(Note, you don’t include the ‘$’ symbol)
If you aren’t comfortable in vi, (or you don’t even know what vi is), you can instead use nano, or any other preferred text editor, by exporting the EDITOR variable, like so:
$ sudo EDITOR=nano visudo
(Again, don’t include the ‘$’ symbol)
You can replace ‘nano’ with the command to start the editor of your choice.
Creating the rules for editing in the sudoers file
Once you’re ready to edit the sudoers file, you need to create the rules for your desired result. To see what you can do with the file, let’s take a look at a couple of examples. The syntax goes as follows:
userusername hostname = (asuser) NOPASSWD:commandlist
where the commandlist is a list of commands with their full path.
Tip: If you don’t know the location of a command, you can do:
and you should get something like:
where /usr/bin/cat is the location of the cat command.
Let’s look at some examples:
james ALL=(ALL) NOPASSWD:/etc/init.d/httpd restart
This will allow the user, james, from any host, to run the command ‘/etc/init.d/httpd restart’ as any user, without using a password.
%developers ALL=(root) NOPASSWD:/home/ec2-user/somescript.sh,/usr/bin/yum update
This will allow all users in the group ‘developers’, without needing the root password, to do the following:
- run the script ‘somescript.sh’ as root, and
- update yum with ‘sudo yum update’.
You can add specific users to different groups to make it easy to give these users unique permissions.
Reminder! Remember that Principle of Least Privilege. It’s best to always give the least permission possible, so if james needs to run a command as root, it's better to use ‘root’ instead of ‘ALL’ for the ‘as user’.
Important: Make sure you add those lines at the very bottom of the sudoers file, or they will be overridden by other lines.
We hope this tutorial helps you feel comfortable granting user privileges. Remember to only give the access you absolutely need to, and limit the rest.
If there’s anything you think we should add to this tutorial, please let us know.