Linux – Whitelisting commands a user can use with sudo

bashcentoscentos-7linuxsudo

I've been attempting to set up a whitelist of commands a user can run on my system. The server I'm using is running CentOS 7. What is the syntax that should be used to only allow a certain group of commands and arguments to be run as sudo for a user? I'd also like for sudo to not require a password when calling these commands.

I've tried:

user ALL=/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL
user ALL=(user:group) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL
user ALL=(user) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL
user ALL=(/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2) NOPASSWD: ALL

All of those attempts have resulted in a syntax error in the /etc/sudoers file.

I've looked at this question: How to prevent sudo users from running specific commands? and also read this guide: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos. The question seems to indicate that the first attempt should have worked, while the guide seems to indicate that the second attempt should have worked. So what does work?

Best Answer

Try to add something like this:

user ALL = (root) NOPASSWD: /bin/cmd1 args, /bin/cmd2 args

On the above line:

user is the user that needs access to the commands
/bin/cmd1 args, /bin/cmd2 args are the commands
root is the user under which the commands will be executed

Related Solutions

Linux – How to make Shared Keys .ssh/authorized_keys and sudo work together

ssh and sudo have nothing to do with each other. Setting up an ssh authentication method isn't going to do anything for sudo. sudo isn't going to understand an ssh password.

passwd -l is intended to lock a user's account, so that he can no longer authenticate by password. That's pretty much the opposite of what you want, which is letting the user authenticate without a password.

I think what you want is the NOPASSWD option in your sudoers file.

(PS, there's no reason to be running a cd command with sudo. cd does not propagate to parent processes, so as soon as the sudo exits, you're back where you started.)

Edit: You keep saying that you want to lock the account password and want sudo to understand public/private keys. Sorry, sudo isn't going to use ssh keys. It isn't ssh. If you don't want users to be able to log in with their passwords, I think the answer is to disable ssh password authentication, not to lock the account. Then you can retain a password for the users, which they can use to sudo after they log in via ssh authorized_keys.

Linux – Pre-authorise sudo? (So it can be run later)

To complete the first answer:

Set up a way that your non-privileged time-consuming computations can initiate the shutdown that’s waiting in the privileged shell (started by sudo -s or sudo su). Using a file as a flag is a good, simple way of doing this. So, in your non-privileged shell, do

cmd1; cmd2; cmd3; > ok_to_shutdown_now

and in your privileged shell, run a script that says

while [ ! -f ok_to_shutdown_now ]
do
        sleep 60
done
shutdown

Related Question

Linux – ‘user is not in the sudoers file’ but actually is