I've been attempting to set up a whitelist of commands a user can run on my system. The server I'm using is running CentOS 7. What is the syntax that should be used to only allow a certain group of commands and arguments to be run as sudo for a user? I'd also like for sudo to not require a password when calling these commands.
user ALL=/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL
user ALL=(user:group) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL
user ALL=(user) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL
user ALL=(/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2) NOPASSWD: ALL
All of those attempts have resulted in a syntax error in the /etc/sudoers file.
I've looked at this question: How to prevent sudo users from running specific commands? and also read this guide: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos. The question seems to indicate that the first attempt should have worked, while the guide seems to indicate that the second attempt should have worked. So what does work?
Try to add something like this:
user ALL = (root) NOPASSWD: /bin/cmd1 args, /bin/cmd2 args
On the above line:
ALLspecifies that the rule applies on all hosts (if you were to copy the file elsewhere, for example), for anyone who is curious. — Aug 21, 2020 at 10:20
External links referenced by this document:
Local articles referenced by this article: