Wednesday, June 9, 2010

Allowing a specific user to run specific commands without giving them full sudo or root access

I was working on a web page that shows the status of a few different servers and was looking for a method to allow some servers/services to be managed from the web page without giving access to anything unnecessary.  I accomplished this by giving the web server permissions to run some specific sudo commands via the sudoers file.

(The sudoers file is where you allow a user to run stuff with the sudo command. It should always be edited with "sudo visudo".)

Here is what I came up with:

This will allow logged in user Username to run a command like "sudo /usr/sbin/service ServiceName stop" on the host HOSTNAME without entering a password. The * will allow anything to be added like start or stop.

There are some nice examples on how to use the sudoers files on sudo's homepage @