Permissions – Allow Certain Guests to Execute Specific Commands

permissionsprivilegessudo

I would like to create a new user on some of my Debian/Ubuntu hosts that is able to update the server using the commands apt-get update and apt-get dist-upgrade, but I do not wan't to give them full sudo access to be able to do anything else. Is this possible? Perhaps there is a way to create a script that they can't edit but can execute, which will get executed as the root user?

Best Answer

Sudo and the /etc/sudoers file aren't just for granting users full root access.

You can edit the sudoers file with an existing sudo user, with the command sudo visudo

You can group the commands that you want to grant access to like below:

Cmnd_Alias SHUTDOWN_CMDS = /sbin/poweroff, /sbin/halt, /sbin/reboot
Cmnd_Alias UPDATE_COMMANDS = /usr/bin/apt-get

You can then give a specific user privileges to those commands like so:

[User's name] ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS, UPDATE_COMMANDS

This can be seen in the image belowenter image description here:

Now if you try sudo apt-get update or sudo apt-get dist-upgrade those commands will execute without asking for a password. If you want to be prompted for a password, remove the NOPASSWD bit where you grant a user access to command groups.

If you try to run anything else as the sudo user, you will be prompted for a password and fail.

References

Related Question