General Computing
linux bash centos sudo centos-7
Updated Fri, 20 May 2022 01:18:17 GMT

Whitelisting commands a user can use with sudo

I've been attempting to set up a whitelist of commands a user can run on my system. The server I'm using is running CentOS 7. What is the syntax that should be used to only allow a certain group of commands and arguments to be run as sudo for a user? I'd also like for sudo to not require a password when calling these commands.

I've tried:

  1. user ALL=/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  2. user ALL=(user:group) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  3. user ALL=(user) /bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2 NOPASSWD: ALL

  4. user ALL=(/bin/cmd1 arg1 arg2, /bin/cmd2 arg1 arg2, /bin/cmd3 arg1 arg2) NOPASSWD: ALL

All of those attempts have resulted in a syntax error in the /etc/sudoers file.

I've looked at this question: How to prevent sudo users from running specific commands? and also read this guide: The question seems to indicate that the first attempt should have worked, while the guide seems to indicate that the second attempt should have worked. So what does work?


Try to add something like this:

user ALL = (root) NOPASSWD: /bin/cmd1 args, /bin/cmd2 args

On the above line:

  • user is the user that needs access to the commands
  • /bin/cmd1 args, /bin/cmd2 args are the commands
  • root is the user under which the commands will be executed

Comments (5)

  • +0 – Still results in a syntax error on that line when I save the file — Nov 23, 2015 at 14:03  
  • +0 – I got sudo user and commands mixed up. Try with the edit format — Nov 23, 2015 at 16:28  
  • +0 – So one of the commands I'm trying to whitelist is a /bin/chown user:group /some/folder and apparently the unescaped colon was causing a syntax error. — Nov 23, 2015 at 22:18  
  • +0 – What is root specifying here? It works with 'user ALL=NOPASSWD: /bin/cmd args, /bin/cmd2 args' as well. — Nov 24, 2015 at 00:48  
  • +0 – And ALL specifies that the rule applies on all hosts (if you were to copy the file elsewhere, for example), for anyone who is curious. — Aug 21, 2020 at 10:20  

Linked Articles

Local articles referenced by this article: