The Task
I have a situation on a CentOS server where I need to grant one low privileged user account the ability to run a single command as root. Here’s how I did it:
Enter visudo and the sudoers File
This probably deserves its own post, but for now let it suffice to know that if you are editing the sudoers file, you need to use visudo. It checks your syntax before saving the file which will prevent you from swearing like a drunken stevedore in between hysterical crying fits.
Run visudo as root and scroll down to the section that assigned rights to user accounts. You’ll almost certainly see see a line that says
root ALL=(ALL) ALL |
That’s the beginning of the section that we’re interested in. But, what does that even mean? Let’s talk about that before we edit anything.
The syntax for the user lines in the sudoers file follows this syntax:
who host=(accounts) commands
Broken down, that means:
- who: the account that is having its ability to use sudo privileges modified
- host: the system that the account is able to run these sudo commands on (the sudoers file can be shared across multiple computers, so that’s when this would come into play)
- accounts: what other accounts on the machine the user running sudo can act as
- commands: the commands that the account represented by
whocan run as sudo
That means root ALL=(ALL) ALL is broken down thusly: The root account can use sudo on all computers that have this sudoers file and assume the identity of any of the accounts on those machines to perform any command that is available on them.
There are a few other additional options that can be placed on the line to further define each user’s sudo privileges. I won’t go into detail about those options (mostly because I just learned about them the other day and I’m still clueless), but you can read much more about the whole thing using its man pages.
The specific option that I’m interested in is the NOPASSWD option. You see, I need to call sudo to run a specific command as root within a script and not be prompted for a password. In that case, I place the NOPASSWD option just before the commands that I want use as root without a password. It would look something like this:
backupuser ALL=(ALL) NOPASSWD: /usr/bin/backuptool |
And that is how I restricted an account’s ability to use one single command as root using sudo without a password. Any thoughts? Caveats? The sudoers file is a behemoth invention that can do quite a few different things. Let me know your ideas below.
Erik 
Wesley David
Michael Graziano 
Jason Wellband 
It makes you file more behmoth, but it makes it a lot easier to extend access (e.g. give Alice the same access that Bob has; add a command for Alice and Bob)
About the Author
I am a self employed Systems Administrator in sunny Phoenix, Arizona. I like origami and lemons. I do not like hangnails or snow. Interested in hiring me? Check the blog sidebar to the right for a contact form or email me at [email protected]