• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Saturday, December 28, 2013

    How to give permission to user to run some commands in Linux

    In Linux you can easily give permissions to user on a command basis, according to which that user will be allowed to run only those commands as super user and apart from those he/she would act as a normal user with normal privilege.

    There can be cases when you want your user to be allowed to restart some particular service or run some specific commands with super user privilege so in that case you just need to make an entry for that user in sudoers file.

    Let me show you how to do so

    The file responsible to providing such permissions to users is /etc/sudoers

    You can either open the file using vi to edit or there is an alternate and BETTER option to edit the sudoer file i.e using visudo command

    One question should come to your mind

    Why should I use visudo command instead of directly editing the file with vi or any other editor?

    Well the answer is in case you are editing the sudoers file using vi editor and you use any wrong syntax and save and exit the file then it might even become hard for the root user to log back in and edit the file again. As vi editor would not check for any syntax error inside the file.
    That is the reason you should always prefer to use visudo because even in case you make any syntax error then visudo will prompt you before making and changes and exiting.
    # visudo
    Let us understand the syntax before starting the exercise

    This is the syntax which you will have to follow in order to give any user any sort of command related permission
    %group        host=(Service Account)       Commands
    %group : Permission will be applicable to all the users in this group
    host : From all these hosts users can run the mentioned commands
    Service Account : The commands would be run with the privilege of mentioned Service Account
    Commands : List of commands

    Suppose you want to give your user permission to run network and apache server restart permission
    # visudo
    %test  192.168.0.100=(root)  /etc/init.d/network, /etc/init.d/httpd
    So, in the above line we are telling our Linux machine, Allow all the users of test group from 192.168.0.61 to run network and apache server related commands using root privilege

    Let use try to run these commands as test user
    # su - test
    $ sudo /etc/init.d/network restart
    [sudo] password for test:
    Shutting down interface eth0:  Device state: 3 (disconnected)
                                                               [  OK  ]
    Shutting down loopback interface:                          [  OK  ]
    Bringing up loopback interface:                            [  OK  ]
    Bringing up interface eth0:  Active connection state: activated
    Active connection path: /org/freedesktop/NetworkManager/ActiveConnection/3
                                                               [  OK  ]
    Well it worked as expected

    But what would happen in case test user tries to run any command for which he is not authenticated
    $ sudo /etc/init.d/vsftpd restart
    [sudo] password for test:
    test is not allowed to run sudo on localhost.  This incident will be reported.

    Oops the incident has been reported, but where will you check these reports?
    # tail /var/log/secure
    Sep 27 13:04:26 test sudo:     test : TTY=pts/1 ; PWD=/home/test ; USER=root ; COMMAND=/etc/init.d/network restart
    Sep 27 13:09:23 test sudo:     test :
    user NOT authorized on host ; TTY=pts/1 ; PWD=/home/test ; USER=root ; COMMAND=/etc/init.d/vsftpd restart

    Please let me know your success and failures

    Related Articles
    How to give normal user root privileges using sudo in Linux/Unix
    How to create password less ssh connection for multiple non-root users
    How to create user without useradd command in Linux
    6 commands to list the logged in users

    Follow the below links for more tutorials

    Configure Red Hat Cluster using VMware, Quorum Disk, GFS2, Openfiler
    Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
    How to configure Samba 4 Secondary Domain Controller
    How to secure Apache web server in Linux using password (.htaccess)
    How to register Red Hat Linux with RHN (Red Hat Network )
    Red hat Enterprise Linux 5.5 Installation Guide (Screenshots)
    15 tips to enhance security of your Linux machine
    Why is Linux more secure than windows and any other OS
    What is the difference between "su" and "su -" in Linux?
    What is swappiness and how do we change its value?
    How to log iptables messages in different log file
    What are the s and k scripts in the etc rcx.d directories
    How to check all the currently running services in Linux
    How to auto start service after reboot in Linux
    What is virtual memory, paging and swap space?

    1 comments: