How to set specific user can run certain root command in redhat - linux

i want to ask for a specific user to use certain root commands in redhat?
my server run redhat OS 7.6. i dont have any idea how to set a user that can run certain commands from root.
let say i have one user id name MY_CIT, so MY_CIT can run certain commands for example to create print queue #lpadmin -p printer -v socket://printer:9100 -E
so MY_CIT no need root access to trigger the command.
Anyone experience on this? kindly help. thanks

You'll be able to use file ACLs. As a test I removed execute permissions from the nano command, just to show how this will work.
You won't need to do this, however, you will need root permissions to the machine. Instead of nano, use 'lpadmin' as per your requirements
[root#server bin]# chmod o-x /bin/nano
[root#server bin]# ls -lah /bin/nano
-rwxr-xr-- 1 root root 202K Jun 10 2014 nano
To test, we change to user1 and try use nano to edit a file:
[user1#server ~]$ nano file1
-bash: /bin/nano: Permission denied
Now, as root again, we add an ACL to the nano program. This allows only user1 to execute the program.
[root#server bin]# setfacl -m u:user1:x /bin/nano
Display ACL with getfacl:
[root#server bin]# getfacl /bin/nano
getfacl: Removing leading '/' from absolute path names
# file: bin/nano
# owner: root
# group: root
user::rwx
user:user1:--x <<-- Note this
group::r-x
mask::r-x
other::r--
As user1, we are able to use the nano program, but not as user2:
[user1#server ~]$ nano file1
[user1#server ~]$ ls
file1
[user1#server ~]$ exit
logout
[root#server bin]# su - user2
[user2#server ~]$ nano file1
-bash: /bin/nano: Permission denied
ACLs allow admins to extend permissions past just user/group/other. You're able to set permissions for specific users on the system.

Run command with a root privilege:
sudo visudo
It opens file /etc/sudoers for edit.
Add this line at the end of the file (and after keep one blank line):
MY_CIT ALL = NOPASSWD: /usr/sbin/lpadmin
where:
MY_CIT - name of your user
/usr/sbin/lpadmin - path to executible file. Note please that in your distro path can be different. You can check this with command whereis lpadmin.
After user can run command lpadmin with arguments with sudo without password:
sudo lpadmin ...

Related

Not able to create a directory using sudo -u username mkdir /var/log/test

I am unable to create a directory using sudo priveleges from root user and If I login to user , I can create an directory under /root using sudo. Also I have added to allow all commands in /etc/sudoers file and the details are below:
[root#linux home]# cat /etc/sudoers | grep tes
test ALL= NOPASSWD: ALL
Error
[root#linux home]# sudo -u test mkdir /var/log/test3
mkdir: cannot create directory ‘/var/log/test3’: Permission denied
Any Ideas ?
Thanks
By running 'sudo -u test', you're giving yourself lower privileges than the roor user because you're running the command as the user 'test', not 'root'. From the root user, you can just run:
mkdir /var/log/test3
Read man sudo for more info.
Or:
Run visudo and uncomment the wheel group, then add the user test to the wheel group.
If you don't mind me asking, why do you need to create a directory as a certain user from the root user? Especially since the directory you're making will not be user specific?
Also, in the sudoers file , you should what added test ALL=(ALL) NOPASSWD: ALL, not test ALL= NOPASSWD: ALL

Why can't this user delete this file?

If I do:
ls -al /usr/local/bin/kill-all-sales-apps
I see:
-r-xr-xr-- 1 jenkins root 68 Aug 4 12:10 kill-all-sales-apps
If I sudo to root and then su to jenkins, I should be able to delete this, yes?
Other relevant information about the directory and its parent:
drwxr-xr-x 2 root root 4096 Aug 4 12:11 .
drwxr-xr-x 10 root root 4096 May 7 17:20 ..
If I do:
groups jenkins
then I see than the user "jenkins" has been added to the "root" group:
jenkins : jenkins root run-server-software
But if I:
rm /usr/local/bin/kill-all-sales-apps
I get:
rm: remove write-protected regular file ‘/usr/local/bin/kill-all-sales-apps’? y
rm: cannot remove ‘/usr/local/bin/kill-all-sales-apps’: Permission denied
Why is permission denied?
As to why the jenkins user can't delete, the jenkins user needs write permissions on the parent folder of the file you're looking to delete. This is because you're actually removing directory entries from the parent folder.
Usually, on most filesystems, deleting a file requires write
permission on the parent directory (and execute permission, in order
to enter the directory in the first place). (Note that, confusingly
for beginners, permissions on the file itself are irrelevant. However,
GNU rm asks for confirmation if a write-protected file is to be
deleted, unless the -f option is used.)
Source: Wikipedia - Rm_(Unix)
So try running...
ls -ld /usr/local/bin
And make sure the jenkins user has write permissions on /usr/local/bin
Another way to do it is to modify sudoers to give jenkins user sudo permissions to rm only that file via sudo. Here's an example giving the user joe the explicit permission to sudo rm the file /usr/local/src/noperms/hi.txt from a directory he does not have write permissions to. But limiting him from deleting anything else in that directory.
For example:
[root#joeyoung.io ~]# mkdir -p /usr/local/src/noperms
[root#joeyoung.io ~]# chmod -R 455 /usr/local/src/noperms
[root#joeyoung.io ~]# touch /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# echo "hi" >> /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# chmod 455 /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# su - joe
[joe#joeyoung.io ~]$ cat /usr/local/src/noperms/hi.txt
hi
[joe#joeyoung.io ~]$ rm /usr/local/src/noperms/hi.txt
rm: remove write-protected regular file `/usr/local/src/noperms/hi.txt'? y
rm: cannot remove `/usr/local/src/noperms/hi.txt': Permission denied
[joe#joeyoung.io ~]$ exit
[root#joeyoung.io ~]# visudo
[root#joeyoung.io ~]# diff -Nur /tmp/sudoers.orig /etc/sudoers
--- /tmp/sudoers.orig 2015-08-04 17:17:24.020781442 +0200
+++ /etc/sudoers 2015-08-04 17:24:21.258274163 +0200
## -101,6 +101,7 ##
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
+joe ALL=(root) NOPASSWD: /bin/rm /usr/local/src/noperms/hi.txt
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
[root#joeyoung.io ~]# su - joe
[joe#joeyoung.io ~]$ sudo /bin/rm /usr/local/src/noperms/hi.txt
[joe#joeyoung.io ~]$ exit
[root#joeyoung.io ~]# ls -al /usr/local/src/noperms/hi.txt
ls: cannot access /usr/local/src/noperms/hi.txt: No such file or directory
[root#joeyoung.io ~]# ls -al /usr/local/src/noperms/

Is it possible that when using sudo command it should first source a file?

I need to run a bunch of scripts (with sudo) that use a single file.sh as a configuration file for all. Initially I've put the file.sh in /etc/profile.d and when I ran the scripts as root everything was ok (because when I connected to the machine it first sourced the file.sh and all vars in that file were available) but now, for security reasons, I need to run them with another user with sudo rights.
When running with sudo the "configuration file" in /etc/profile.d does not get sourced even if I'm root and do sudo - it's the same.
Using "sudo -E" is not an option, also this kind of solution "Defaults env_keep += "ftp_proxy http_proxy https_proxy no_proxy"" does not work for me as the vars in the file change a lot and it's easier to throw a file, with all the vars, in a location - like /etc/profile.d/ - instead to adding options to /etc/sudoers.
Later Edit (working):
Moved original sudo command to sudo.orig. Created a new sudo bash script
[root#NS1 bin]# cat sudo
#!/bin/bash
source /etc/profile.d/set_env_vmdeploy.sh
sh /usr/bin/sudo.orig "$#"
and gave it permissions
[root#NS1 bin]# chmod 4111 sudo
[root#NS1 bin]# ll sudo*
---s--x--x 1 root root 78 May 7 13:42 sudo
---s--x--x 1 root root 123832 Jul 31 2014 sudo.orig
If you want sudo to execute all the profile scripts in the child shell, you can tell it to invoke the shell as a login shell: sudo -i /usr/local/bin/my_script.sh. (Note that the child shell will start with the working directory set to /root, and also that this may have other unintended side effects.)
Alternatively, invoke bash explicitly with a command parameter: sudo /bin/bash -c "source ./config.sh; ./real_script.sh".

/etc/apache2/sites-available/000-default.conf Permission Denied

/etc/apache2/sites-available/000-default.conf
What should I do to access this file
I want to change DocumentRoot From /var/www/html To /var/www
First check to see who owns the file:
ls -l /etc/apache2/sites-available/000-default.conf
It should probably be something like www-data. For the rest of this answer I assume the user is www-data, replace it with the correct user on your system.
Verify you have permissions to act as that user, e.g.:
sudo -u www-data id
This command just runs the id command as the www-data user, you may have to enter a password.
Edit the file as the owner of the file:
sudo -u www-data vi /etc/apache2/sites-available/000-default.conf
(or emacs or nano or whatever your favorite editor is).
If none of that works, the file permissions might be messed up, for example maybe the user of the file is not allowed to write to it. In that case posting the output of:
ls -l /etc/apache2/sites-available/000-default.conf
may be helpful in resolving your issue, but you probably can't go wrong by doing a:
sudo -u www-data chmod o+rw /etc/apache2/sites-available/000-default.conf
This grants the owner read and write permissions on the file, then try the edit again.
If none of that works please post the exact command you are running, and the exact error message.
You need to access this file as a root user. Issue the command
sudo -s
to get a root shell, then edit that file with the editor of your choice.
Just run this command and you can edit that file
gedit admin:///etc/apache2/sites-available/000-default.conf

Unable to edit file through sudo permission

I am trying to setup sudo permission for an account to have full access to all files under certain directory.
I have made the following entry in sudoers file
itg ALL= NOPASSWD: /apps/pgm/admin/
The file which I trying to modify and execute under /apps/pgm/admin/ path has the following permssion.
-rwxr--r-- 1 root root 6034 Oct 2 02:00 ptTomcat.ksh
Though I am able to execute the above script through sudo, when I try to edit this file through sudo I am getting the following error
Sorry, user itg is not allowed to execute '/bin/vi /apps/pgm/admin/ptTomcat.ksh' as root
I am running Linux
Any thoughts?
Your user cannot execute '/bin/vi' as root as you haven't added that command to /etc/sudoers for that particular user.
Try something similar to:
itg ALL= NOPASSWD: /bin/vi /apps/pgm/admin

Resources