topic Re: Giving sudo access to whole directory, some files and start & stop the service in Operating System - Linux

Giving sudo access to whole directory, some files and start & stop the service

Senthil_N — Mon, 20 May 2013 15:23:22 GMT

Hi All,

I tried to give sudo access but it is not working successfully.

My requirements are

1)How to give sudo access for particular directory like the user who is having sudo can modify / delete / create new files / sub-directory with in given directory.

2)How to give modify (edit) permission through sudo for particular file.

3)How to give sudo access for star and stop the service. for say. /etc/init.d/httpd.

4)How to give sudo access for installing one software.

Re: Giving sudo access to whole directory, some files and start & stop the service

Matti_Kurkela — Mon, 20 May 2013 17:33:29 GMT

1) For this, sudo is not the right tool.

It is much easier to use directory permissions (and, if necessary, ACLs) for this.

If exactly one user needs to access the directory, use chown to give him/her the ownership of the directory.

If more than one user needs access, create a group, use chgrp to assign the group ownership of the directory to that group, set permissions to chmod 2770 or 2775. If there are any existing sub-directories, do the same for them too. Then add the required users to that group.

If you need all changes to the files to be logged, use a version control system (like cvs, svn, or git): that is exactly the kind of task version control systems are designed for.

2.) If your sudo version supports the "sudoedit" or "sudo -e" command, then this can be done.

For example, to allow user userX to edit /some/file as userY on all hosts that have this sudoers file, the sudoers file entry would be:

userX    ALL = (userY) sudoedit /some/file

If you omit the "(userY)" part, then userX will be allowed to edit the file with root-like access.

To edit the file, userX should first set the SUDO_EDITOR, VISUAL, or EDITOR environment variable to indicate his/her preferred text editor (e.g. "export SUDO_EDITOR=/usr/bin/vim"), and then run "sudoedit /some/file" or "sudo -e /some/file".

3.) To allow userX to start and stop httpd (which must be run as root, since it uses ports 80 and/or 443), the sudoers file syntax would be:

userX    ALL = (root) /etc/init.d/httpd start, /etc/init.d/httpd stop

4.) You'll need to find the exact commands required to install that software, and allow them as in 3.)

You'll need to think about things like:

Is the software going to be installed using standard package management tools, like yum or apt-get, or does it have its own installer (like Oracle products almost always do)?
If the software has its own installer, does it need to run as root at all? If not, you might want to create a user account (for example, userAPP) for the purpose of running the application, create a directory in a suitable location (e.g. /opt/app, or /usr/local/app, or /srv/app) and make the new user own it, then allow the user that is going to install the software full access through sudo to that user account only:

userX    ALL =(userAPP) ALL

Then userX can switch to userAPP with "sudo -u userAPP -i", or run individual commands as userAPP with "sudo -u userAPP <command>".

Re: Giving sudo access to whole directory, some files and start & stop the service

Senthil_N — Tue, 21 May 2013 15:19:14 GMT

Hi Matti,

I have tried the option you mentioned by I am getting error.

I am using RHEL 5.7

Host_Alias xyx = xyz1,xyz2

1)Method 1 (current):

Cmnd_Alias abc = /etc/init.d/httpd start, \
/etc/init.d/httpd restart, \
/etc/init.d/httpd stop

user WASS_HOSTS = NOPASSWD: WASS_CMDS

I am not getting any error while save and exit visudo. But getting following error while restarting the service by the user.

-bash-3.2$ /etc/init.d/httpd restart
Stopping httpd: [FAILED]
Starting httpd: (13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
[FAILED]

Method 2:

Host_Alias xyx = xyz1,xyz2

Cmnd_Alias abc = (root)/etc/init.d/httpd start, \
(root)/etc/init.d/httpd restart, \
(root)/etc/init.d/httpd stop

user xyz = NOPASSWD: abc

Getting error while save and exit.

visudo: Warning: Cmnd_Alias `abc' referenced but not defined

Method 3:

Host_Alias xyx = xyz1,xyz2

Cmnd_Alias abc = (root) /etc/init.d/httpd start, \
(root) /etc/init.d/httpd restart, \
(root) /etc/init.d/httpd stop

user xyz = NOPASSWD: abc

Getting following error while save and exit visudo

visudo: Warning: Cmnd_Alias `abc' referenced but not defined

Method 4:

user xyz = NOPASSWD (root): abc

>>> /etc/sudoers: syntax error near line 1050 <<<

user xyz = NOPASSWD: (root) abc

>>> /etc/sudoers: syntax error near line 1050 <<<

#Host_Alias xyx = xyz1,xyz2

#Cmnd_Alias abc = (root) /etc/init.d/httpd start, \
(root) /etc/init.d/httpd restart, \
(root) /etc/init.d/httpd stop

user ALL = NOPASSWD:(root)/etc/init.d/httpd restart

Getting syntax error.

Re: Giving sudo access to whole directory, some files and start & stop the service

Matti_Kurkela — Wed, 22 May 2013 11:59:40 GMT

Method 1:

> -bash-3.2$ /etc/init.d/httpd restart

If httpd requires root permissions to run (e.g. because it is configured to use ports <1024), then you must prefix "sudo" to the command:

-bash-3.2$ sudo /etc/init.d/httpd restart

Without the "sudo" prefix, the non-root user will run the command as himself, without root permissions.

Without root permissions, httpd will not be able to open port 80 nor its log files, and it will fail.

Method 2 and 3: (I see no difference between the two???)

> Cmnd_Alias abc = (root)/etc/init.d/httpd start, \

This is not a correct Cmnd_Alias syntax.

With Cmnd_Alias, you can only specify commands, not the username to run them as.

For the username, there is a separate Runas_Alias.

Also, you are defining Host_Alias xyx but referring to Host_Alias xyz.

Host_Alias xyz = xyz1,xyz2

Cmnd_Alias abc = /etc/init.d/httpd start, \
/etc/init.d/httpd restart, \
/etc/init.d/httpd stop

user xyz = (root) NOPASSWD: abc

or if you want to use Runas_Alias:

Host_Alias xyz = xyz1,xyz2

Cmnd_Alias abc = /etc/init.d/httpd start, \
/etc/init.d/httpd restart, \
/etc/init.d/httpd stop

Runas_Alias HTTPDUSER = root

user xyz = (HTTPDUSER) NOPASSWD: abc

Method 4:

Assuming that this is line 1050 of your sudoers file:

> user xyz = NOPASSWD: (root) abc

You have the last three elements in the wrong order.

It should be:

user xyz = (root) NOPASSWD: abc

Tags like "NOPASSWD:" come after the run-as specification and before the command specification.

Re: Giving sudo access to whole directory, some files and start & stop the service

Senthil_N — Wed, 22 May 2013 22:14:05 GMT

Hi Matt,

I have done following:

Host_Alias xyz = xyz1, xyz2

Cmnd_Alias abc = /etc/init.d/httpd start, \
/etc/init.d/httpd restart, \
/etc/init.d/httpd stop

john xyz = (root) NOPASSWD: abc

But it is giving following error.

xyz1# su - john
su: warning: cannot change directory to /home/john: No such file or directory

-bash-3.2$ sudo /etc/init.d/httpd restart
Sorry, user john is not allowed to execute '/etc/init.d/httpd restart' as john on xyz1.

Re: Giving sudo access to whole directory, some files and start & stop the service

Matti_Kurkela — Thu, 23 May 2013 04:24:21 GMT

> xyz1# su - john
> su: warning: cannot change directory to /home/john: No such file or directory

This means the home directory of user "john" has not been created, i.e. the user set-up is not complete. But that should not be a problem for sudo...

> -bash-3.2$ sudo /etc/init.d/httpd restart
> Sorry, user john is not allowed to execute '/etc/init.d/httpd restart' as john on xyz1.

The message says sudo is trying to execute the command as user "john", not as user "root".

Hmm, your previous message indicated your sudoers file has at least 1050 lines, so this is probably caused by something else in your configuration you have not shown me...

Do you have the "runas_default" configuration option specified? For example, do you have something like this in your sudoers file:

Defaults runas_default = john

If you have the runas_default specified as some user other than root, then user john needs to explicitly specify that he wants to run the command as root:

-bash-3.2$ sudo -u root /etc/init.d/httpd restart

Note that each user can use "sudo -l" to list what commands s/he is allowed to run through sudo. The root user can list any user's allowed commands with "sudo -l -U <username>". If your sudoers configuration is very complex (1050 lines can be very complex indeed!), this can be helpful: it allows you to see the result of your current sudoers configuration as it applies to a particular user.