Wednesday, June 28, 2017

how to Allow A Normal User To Run Commands As root Under Linux ?

You need to use the sudo command which is use to execute a command as another user. It allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers (config file that defines or list of who can run what) file. The sudo command allows users to do tasks on a Linux system as another user.

sudo command

sudo is more more secure than su command. By default it logs sudo usage, command and arguments in /var/log/secure (Red Hat/Fedora / CentOS Linux) or /var/log/auth.log (Ubuntu / Debian Linux).
If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default. Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (15 minutes unless overridden in sudoers).

/etc/sudoers Syntax

Following is general syntax used by /etc/sudoers file:
      USER: Name of normal user
      HOSTNAME: Where command is allowed to run. It is the hostname of the system where this rule applies. sudo is designed so you can use one sudoers file on all of your systems. This space allows you to set per-host rules.
      COMMAND: A simple filename allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify “” to indicate that the command may only be run without command line arguments.

How do I use sudo?

If there are multiple matching entries in /etc/sudoers, sudo uses the last one. Therefore, if you can execute any command with a password prompt, and you want to be able to execute a particular command without a password prompt, you need the exception last.
myusername ALL = (ALL) ALL
myusername ALL = (root) NOPASSWD: /path/to/my/program

Give user ravi access to halt/shutdown command and restart Apache web server. First, Login as root user. Use visudo command edit the config file:
# visudo
Append the following lines to file:
ravi localhost=/sbin/halt
ravi dbserver=/etc/init.d/apache restart
Save and close file . Now ravi user can restart Apache web server by typing the following command:
$ sudo /etc/init.d/apache restart
Restarting apache web server....
The sudo command has logged the attempt to the log file /var/log/secure or /var/log/auth.log file:
# tail -f /var/log/auth.log
Sample outputs:
May 17 08:37:43 debian sudo:       ravi : TTY=pts/4 ; PWD=/home/ravi ; USER=root ; COMMAND=/etc/init.d/apache restart
If ravi want to shutdown computer he needs to type command:
$ sudo /sbin/halt
Before running a command with sudo, users usually supply their password. Once authenticated, and if the /etc/sudoers configuration file permits the user access, then the command is run. sudo logs each command run.


a) Allow admin to run various commands:
admin ALL=/sbin/halt, /bin/kill, /etc/init.d/httpd
b) Allow user admin to run /sbin/halt without any password i.e. as root without authenticating himself:
admin ALL= NOPASSWD: /sbin/halt,/etc/init.d/mysqld
c) Allow user admin to run any command from /usr/bin directory on the system dev02:
admin dev02 = /usr/bin/*
The following steps will help you achieve the desired output:
Create a new script file (replace  with your desired script name):
vim ~/
The script will be created in the user’s home directory
Add some commands that only a root or sudo user can execute like creating a folder at the root directory level:
mkdir /ravi
Note: Don’t add sudo to these commands. Save and exit (using :wq!)
Assign execute permissions to it using:
sudo chmod u+x
Make changes so that this script doesn’t require a password.
Open the sudoers file:
sudo visudo
Add the following line at the end:
ravi ALL=(root) NOPASSWD: /home/ravi/
Replace ravi with whatever your username is. Also make sure this is the last line. Save and exit.
Now when running the command add sudo before it like:
sudo ./
This will run the commands inside the script file without asking for a password.

No comments:

Post a Comment