- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Giving sudo access to whole directory, some files ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2013 08:23 AM
05-20-2013 08:23 AM
Hi All,
I tried to give sudo access but it is not working successfully.
My requirements are
1)How to give sudo access for particular directory like the user who is having sudo can modify / delete / create new files / sub-directory with in given directory.
2)How to give modify (edit) permission through sudo for particular file.
3)How to give sudo access for star and stop the service. for say. /etc/init.d/httpd.
4)How to give sudo access for installing one software.
Solved! Go to Solution.
- Tags:
- sudo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2013 10:33 AM
05-20-2013 10:33 AM
Re: Giving sudo access to whole directory, some files and start & stop the service
1) For this, sudo is not the right tool.
It is much easier to use directory permissions (and, if necessary, ACLs) for this.
If exactly one user needs to access the directory, use chown to give him/her the ownership of the directory.
If more than one user needs access, create a group, use chgrp to assign the group ownership of the directory to that group, set permissions to chmod 2770 or 2775. If there are any existing sub-directories, do the same for them too. Then add the required users to that group.
If you need all changes to the files to be logged, use a version control system (like cvs, svn, or git): that is exactly the kind of task version control systems are designed for.
2.) If your sudo version supports the "sudoedit" or "sudo -e" command, then this can be done.
For example, to allow user userX to edit /some/file as userY on all hosts that have this sudoers file, the sudoers file entry would be:
userX ALL = (userY) sudoedit /some/file
If you omit the "(userY)" part, then userX will be allowed to edit the file with root-like access.
To edit the file, userX should first set the SUDO_EDITOR, VISUAL, or EDITOR environment variable to indicate his/her preferred text editor (e.g. "export SUDO_EDITOR=/usr/bin/vim"), and then run "sudoedit /some/file" or "sudo -e /some/file".
3.) To allow userX to start and stop httpd (which must be run as root, since it uses ports 80 and/or 443), the sudoers file syntax would be:
userX ALL = (root) /etc/init.d/httpd start, /etc/init.d/httpd stop
4.) You'll need to find the exact commands required to install that software, and allow them as in 3.)
You'll need to think about things like:
- Is the software going to be installed using standard package management tools, like yum or apt-get, or does it have its own installer (like Oracle products almost always do)?
- If the software has its own installer, does it need to run as root at all? If not, you might want to create a user account (for example, userAPP) for the purpose of running the application, create a directory in a suitable location (e.g. /opt/app, or /usr/local/app, or /srv/app) and make the new user own it, then allow the user that is going to install the software full access through sudo to that user account only:
userX ALL =(userAPP) ALL
Then userX can switch to userAPP with "sudo -u userAPP -i", or run individual commands as userAPP with "sudo -u userAPP <command>".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2013 08:19 AM
05-21-2013 08:19 AM
Re: Giving sudo access to whole directory, some files and start & stop the service
I have tried the option you mentioned by I am getting error.
I am using RHEL 5.7
Host_Alias xyx = xyz1,xyz2
1)Method 1 (current):
Cmnd_Alias abc = /etc/init.d/httpd start, \
/etc/init.d/httpd restart, \
/etc/init.d/httpd stop
user WASS_HOSTS = NOPASSWD: WASS_CMDS
I am not getting any error while save and exit visudo. But getting following error while restarting the service by the user.
-bash-3.2$ /etc/init.d/httpd restart
Stopping httpd: [FAILED]
Starting httpd: (13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
[FAILED]
Method 2:
Host_Alias xyx = xyz1,xyz2
Cmnd_Alias abc = (root)/etc/init.d/httpd start, \
(root)/etc/init.d/httpd restart, \
(root)/etc/init.d/httpd stop
user xyz = NOPASSWD: abc
Getting error while save and exit.
visudo: Warning: Cmnd_Alias `abc' referenced but not defined
Method 3:
Host_Alias xyx = xyz1,xyz2
Cmnd_Alias abc = (root) /etc/init.d/httpd start, \
(root) /etc/init.d/httpd restart, \
(root) /etc/init.d/httpd stop
user xyz = NOPASSWD: abc
Getting following error while save and exit visudo
visudo: Warning: Cmnd_Alias `abc' referenced but not defined
Method 4:
user xyz = NOPASSWD (root): abc
>>> /etc/sudoers: syntax error near line 1050 <<<
user xyz = NOPASSWD: (root) abc
>>> /etc/sudoers: syntax error near line 1050 <<<
#Host_Alias xyx = xyz1,xyz2
#Cmnd_Alias abc = (root) /etc/init.d/httpd start, \
(root) /etc/init.d/httpd restart, \
(root) /etc/init.d/httpd stop
user ALL = NOPASSWD:(root)/etc/init.d/httpd restart
Getting syntax error.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2013 04:59 AM
05-22-2013 04:59 AM
Re: Giving sudo access to whole directory, some files and start & stop the service
Method 1:
> -bash-3.2$ /etc/init.d/httpd restart
If httpd requires root permissions to run (e.g. because it is configured to use ports <1024), then you must prefix "sudo" to the command:
-bash-3.2$ sudo /etc/init.d/httpd restart
Without the "sudo" prefix, the non-root user will run the command as himself, without root permissions.
Without root permissions, httpd will not be able to open port 80 nor its log files, and it will fail.
Method 2 and 3: (I see no difference between the two???)
> Cmnd_Alias abc = (root)/etc/init.d/httpd start, \
This is not a correct Cmnd_Alias syntax.
With Cmnd_Alias, you can only specify commands, not the username to run them as.
For the username, there is a separate Runas_Alias.
Also, you are defining Host_Alias xyx but referring to Host_Alias xyz.
Host_Alias xyz = xyz1,xyz2 Cmnd_Alias abc = /etc/init.d/httpd start, \ /etc/init.d/httpd restart, \ /etc/init.d/httpd stop user xyz = (root) NOPASSWD: abc
or if you want to use Runas_Alias:
Host_Alias xyz = xyz1,xyz2 Cmnd_Alias abc = /etc/init.d/httpd start, \ /etc/init.d/httpd restart, \ /etc/init.d/httpd stop Runas_Alias HTTPDUSER = root user xyz = (HTTPDUSER) NOPASSWD: abc
Method 4:
Assuming that this is line 1050 of your sudoers file:
> user xyz = NOPASSWD: (root) abc
You have the last three elements in the wrong order.
It should be:
user xyz = (root) NOPASSWD: abc
Tags like "NOPASSWD:" come after the run-as specification and before the command specification.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2013 03:14 PM
05-22-2013 03:14 PM
Re: Giving sudo access to whole directory, some files and start & stop the service
I have done following:
Host_Alias xyz = xyz1, xyz2
Cmnd_Alias abc = /etc/init.d/httpd start, \
/etc/init.d/httpd restart, \
/etc/init.d/httpd stop
john xyz = (root) NOPASSWD: abc
But it is giving following error.
xyz1# su - john
su: warning: cannot change directory to /home/john: No such file or directory
-bash-3.2$ sudo /etc/init.d/httpd restart
Sorry, user john is not allowed to execute '/etc/init.d/httpd restart' as john on xyz1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2013 09:24 PM
05-22-2013 09:24 PM
Solution> xyz1# su - john
> su: warning: cannot change directory to /home/john: No such file or directory
This means the home directory of user "john" has not been created, i.e. the user set-up is not complete. But that should not be a problem for sudo...
> -bash-3.2$ sudo /etc/init.d/httpd restart
> Sorry, user john is not allowed to execute '/etc/init.d/httpd restart' as john on xyz1.
The message says sudo is trying to execute the command as user "john", not as user "root".
Hmm, your previous message indicated your sudoers file has at least 1050 lines, so this is probably caused by something else in your configuration you have not shown me...
Do you have the "runas_default" configuration option specified? For example, do you have something like this in your sudoers file:
Defaults runas_default = john
If you have the runas_default specified as some user other than root, then user john needs to explicitly specify that he wants to run the command as root:
-bash-3.2$ sudo -u root /etc/init.d/httpd restart
Note that each user can use "sudo -l" to list what commands s/he is allowed to run through sudo. The root user can list any user's allowed commands with "sudo -l -U <username>". If your sudoers configuration is very complex (1050 lines can be very complex indeed!), this can be helpful: it allows you to see the result of your current sudoers configuration as it applies to a particular user.