2 Replies Latest reply: Jan 14, 2013 12:11 PM by Catch-22 RSS

    Control Script Access w/ Sudo?

    895327
      I have a developer on my Linux server who needs to have a small custom Bash script ran manually which lives in /etc/init.d/ folder:
      [root@cq init.d]# ls -l myscript
      -rwxrwx-w- 1 root root 1301 Feb 14  2012 myscript
      I don't just want to give this or possibly more developers blind full sudo access to the entire server. My question is how can I limit the users sudo access to run this script and not have to give them more access than they need? I'm not sure if it's necessary to see what exactly the script is doing and where it's doing it so I will just leave it at this for now and can post more details if need be.

      So I just want this user to be able to run this scrip as sudo but have sudo limit her ability to what she can and can't do as an elevated user.

      Thanks for any info.
        • 1. Re: Control Script Access w/ Sudo?
          898553
          http://www.garron.me/linux/visudo-command-sudoers-file-sudo-default-editor.html
          • 2. Re: Control Script Access w/ Sudo?
            Catch-22
            Sudo means to run a command as root.

            To allow a user to execute a particular command as root, you can add the following to the /etc/sudoers configuration:

            Syntax: username hostname=command
            Where:
            username = name of the user according to /etc/passwd
            hostname = The hostname of the system where this rule applies.
            command = command to execute

            For example:
            [dude@vm014 ~]$ /etc/init.d/sendmail restart
            rm: cannot remove `/var/run/sm-client.pid': Permission denied
            Shutting down sendmail: /etc/rc.d/init.d/functions: line 141: /var/run/sendmail.pid: Permission denied
            rm: cannot remove `/var/run/sendmail.pid': Permission denied
            Starting sendmail: /etc/rc.d/init.d/functions: line 141: /var/run/sendmail.pid: Permission denied
            550 Permission denied (real uid not trusted)
            su - root
            visudo
            
            dude vm014=/etc/init.d/sendmail restart
            [dude@vm014 ~]$ sudo /etc/init.d/sendmail restart
            [sudo] password for dude: 
            Shutting down sm-client:                                   [  OK  ]
            Shutting down sendmail:                                    [  OK  ]
            Starting sendmail:                                         [  OK  ]
            Starting sm-client:                                        [  OK  ]