Like most things on Linux, the sudo command is very configurable. You can have sudo run specific commands without asking for a password, restrict specific users to only approved commands, log commands run with sudo, and more.
The sudo command’s behavior is
controlled by the /etc/sudoers file on your system. This command must be
edited with the visudo command, which performs syntax-checking to
ensure you don’t accidentally break the file.
The
safest way to play with sudo configuration is to maintain separate
files for each linux group or user which can be placed under
/etc/sudoers.d directory.
Never ask password for any sudo commands
%admins ALL=(ALL) NOPASSWD: ALL
The above configuration will not ask for a password for any command run by 'admins' group of users.
Never ask for password only for specific commands
username ALL=(ALL) NOPASSWD: /usr/bin/chown, /usr/bin/chmod
Allow sudo access to specific commands with a password prompt
%appadmin ALL=/usr/bin/chown, /usr/bin/chmod
Allow sudo access to all commands except one command
username ALL= ALL, !/bin/su
Allow sudo access to specific commands on the specific directory (without password)
%appadmin ALL=(ALL) NOPASSWD: /bin/chmod * /opt/apps/*, /bin/chown * /opt/apps/*
The above configuration will allow the users to run chmod and chown command only and the syntax will be as below
user1@testvm[~]$ chmod 755 /opt/apps/test.txt
user1@testvm[~]$ chown user1:appadmin /opt/apps/test.txt
No comments:
Post a Comment