 |
| Linux Security Police : Sudo |
In sudo still we can permit a user to run a specific command as a root level user, without giving all the root access privileges. In the Sudo documentation, it stated there but need more understanding as i do when go to the documentation.
So here my aim to just target the specific need to restrict a user run a specific command that need root privileges without giving all the root level privileges. So lets start with the use case.
I need a user account that can execute a program that can start a service. User cannot restart other services than we specified. Let say the service is vpnconnect.sh , located in /usr/sbin . user just run sudo vpnconnect.sh restart to restart the service.
So we use visudo to edit the sudo files for safety and auto checking for errors when saving the file. Here are the step :
- Add a command alias in the sudo file using visudo.
Cmnd_Alias VPNC = /usr/sbin/vpnconnect.sh - Add the usergroup to allow run the command
%support ALL = (ALL) VPNC - Create a group called support
#groupadd support - Create a username and add it to the group.
#useradd superman -g support
#passwd superman - Thats it!
So now you have create a user with username superman. try login using SSH and then execute the command.
#sudo /usr/sbin/vpnconnect.sh restart
It will prompt for password to able to run it. If you try it with other user which not yet registered on the support group, it will fail.
So thats all. Normal user will not able to run command that need superuser account level like reboot, restart , restart and stop a service.
Hope this helps.
0 comments:
Post a Comment