Red Hat Summit8.3. Enabling unprivileged users to run certain commands
As an administrator, you can allow unprivileged users to enter certain commands on specific workstations by configuring a policy in the /etc/sudoers.d/ directory. This is more secure than granting full sudo access to a user or giving someone the root password for the following reasons:
- More granular control over privileged actions. You can allow a user to perform certain actions on specific hosts instead of giving them full administrative access.
-
Better logging. When a user performs an action through
sudo, the action is logged with their user name and not just root. -
Transparent control. You can set email notifications for every time the user attempts to use
sudoprivileges.
Prerequisites
- You have root access to the system.
Procedure
As root, create a new
sudoers.d/directory under/etc/:# mkdir -p /etc/sudoers.d/Create a new file in the
/etc/sudoers.d/directory:# visudo -f /etc/sudoers.d/<filename>The file opens automatically.
Add the following line to the
/etc/sudoers.d/<filename>file:<username> <hostname.example.com> = (<run_as_user>:<run_as_group>) <path/to/command>-
Replace
<username>with the name of the user. -
Replace
<hostname.example.com>with the URL of the host. -
Replace
(<run_as_user>:<run_as_group>)with the user or group as which the command can be executed. If you omit this section,<username>can execute the command as root. -
Replace
<path/to/command>with the complete absolute path to the command. You can also limit the user to only performing a command with specific options and arguments by adding those options after the command path. If you do not specify any options, the user can use the command with all options. To allow two and more commands on the same host on one line, you can list them separated by a comma followed by a space.
For example, to allow
user1to execute thednfandrebootcommands onhost1.example.com, enteruser1 host1.example.com = /bin/dnf, /sbin/reboot.
-
Replace
Optional: To receive email notifications every time the user attempts to use
sudoprivileges, add the following lines to the file:Defaults mail_always Defaults mailto="<email@example.com>"- Save the changes, and exit the editor.
Verification
To verify if a user can run a command with
sudoprivileges, switch the account:# su <username> -As the user, enter the command with the
sudocommand:$ sudo <command> [sudo] password for <username>:Enter the user’s
sudopassword.If the privileges are configured correctly, the system displays the list of commands and options. For example, with the
dnfcommand, it shows the following output:… usage: dnf [options] COMMAND …If the system returns the error message
<username> is not in the sudoers file. This incident will be reported, the file for<username>in/etc/sudoers.d/does not exist.If the system returns the error message
<username> is not allowed to run sudo on <host.example.com>, the configuration was not completed correctly. Ensure that you are logged in as root and that the configuration was performed correctly.If the system returns the error message
Sorry, user <username> is not allowed to execute '<path/to/command>' as root on <host.example.com>., the command is not correctly defined in the rule for the user.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}