Restrict a user “pooja” to run only two root commands.
This task is very simple, just modify the previous
permissions assign to pooja.
Let’s give pooja to run only #fdisk and #parted
command access.
First check the complete path of those command by
using following command
#
which fdisk
#
which parted
[pooja@linuxelearn
~]$ which fdisk
/sbin/fdisk
[pooja@linuxelearn
~]$ which parted
/sbin/parted
[pooja@linuxelearn
~]$
|
Lets assign both above paths in sudoers file.
#
visudo
## user
MACHINE=COMMANDS
##
##
The COMMANDS section may have other options added to it.
##
##
Allow root to run any commands anywhere
root ALL=(ALL) ALL
pooja ALL=(ALL) /sbin/fdisk,/sbin/parted
##
Allows members of the 'sys' group to run networking, software,
##
service management apps and more.
|
- Login as a pooja and try assigned commands and other commands as well
[root@linuxelearn
~]# su pooja
[pooja@linuxelearn
root]$ sudo fdisk -l
[sudo]
password for pooja:
Disk
/dev/sda: 17.2 GB, 17179869184 bytes
255
heads, 63 sectors/track, 2088 cylinders
Units
= cylinders of 16065 * 512 = 8225280 bytes
Sector
size (logical/physical): 512 bytes / 512 bytes
I/O
size (minimum/optimal): 512 bytes / 512 bytes
Disk
identifier: 0x000efa3d
Device Boot Start End Blocks
Id System
/dev/sda1 *
1 26 204800
83 Linux
Partition
1 does not end on cylinder boundary.
/dev/sda2 26 1301 10240000
83 Linux
/dev/sda3 1301 1562 2097152
82 Linux swap / Solaris
/dev/sda4 1562 2088 4228884 5
Extended
/dev/sda5 1562 1626 517837+
82 Linux swap / Solaris
/dev/sda6 1627 1691 522081
8e Linux LVM
/dev/sda7 1692 1756 522081
8e Linux LVM
/dev/sda8 1757 1821 522081
82 Linux swap / Solaris
[pooja@linuxelearn
root]$
[pooja@linuxelearn
~]$ sudo useradd jon
Sorry,
user pooja is not allowed to execute '/usr/sbin/useradd jon' as root on
linuxelearn.rj.com.
[pooja@linuxelearn
~]$
|
Note
:
Try the same commands for group also. It is exactly same.
How to allow any group or user to run only network related commands as sudo user in Linux.
To allow a group run only network commands, first
uncomment the following line.
|
Observe that you have just remove # before the line
to make the line readable and also observe that it contains all networking
commands.
- Just replace “ALL” with “NETWORKING” from the last field of group line.
##
Allows people in group wheel to run all commands
#
%wheel ALL=(ALL) ALL
|
Note:
NETWORKING is the name of the command alias where
uncommented the line.
- Now login as one of the member of rp group and try some commands assigned it.
[pooja@linuxelearn
~]$ sudo ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:0A:86:5B
UP BROADCAST MULTICAST MTU:1500
Metric:1
RX packets:0 errors:0 dropped:0
overruns:0 frame:0
TX packets:0 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436
Metric:1
RX packets:396 errors:0 dropped:0
overruns:0 frame:0
TX packets:396 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:47248 (46.1 KiB) TX bytes:47248 (46.1 KiB)
[pooja@linuxelearn
~]$ sudo userdel raj
Sorry,
user pooja is not allowed to execute '/usr/sbin/userdel raj' as root on
linuxelearn.rj.com.
[pooja@linuxelearn
~]$
|
Post a Comment