Monday, May 17, 2010

Provided Limited Root Privilege To User Using /etc/sudoers File

Sudo command is used to provide the Limited root privilege to the particular user. There important file is /etc/sudoers
[root@mailservice ~]# vi /etc/sudoers
Otherwise we can  open file using visudo command.
[root@mailservice ~]# visudo
In these file last line we need to add service which one we need to start the service.
Syntax
[Username] [System name]=[path of the service] status
Now I add the service httpd restart service to the user rhel5

rhel5 mailservice=/etc/init.d/httpd restart

User Name  :rhel5-
System Name: mail service
Service Name :/etc/init.d/httpd
Status     :Status Restart
Verification Login as rhel5 User Without sudo Restart Service
[rhel5@mailservice root]$ /etc/init.d/httpd restart
rm: cannot remove `/var/run/httpd.pid': Permission denied [FAILED]
Starting httpd:
touch: cannot touch `/var/lock/subsys/httpd': Permission denied
Using Sudo Command Run The Httpd Service
[rhel5@mailservice root]$ sudo /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
How To Identify Find Path Of Command To Running Service with sudo privilege
[rhel5@mailservice root]$ service httpd restart
rm: cannot remove `/var/run/httpd.pid': Permission denied [FAILED]
Starting httpd: touch: cannot touch `/var/lock/subsys/httpd': Permission denied
Using Sudo Command Run The Service
[rhel5@mailservice root]$ sudo service httpd restart
Sorry, user rhel5 is not allowed to execute '/sbin/service httpd restart' as root on mailservice.localdomain.
Then it will indicate path of the service which one we need to add the sudo privilege for that user
Then in /etc/sudoer file Add The Path or Command
Rhel5 mailservice =/sbin/service httpd restart
Then try it
For service sshd Secure Shell Daemon Remote Login  restart
/sbin/service sshd restart
Add The User
/use/sbin/adduser
For Mount Command
/sbin/mount
/sbin/umount
Shutdown System
/sbin/shutdown
Allows all the users of the 'sys' group to run networking, software,
Service management apps and more. Add the following line
%sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
Allows people in group wheel to run all commands to add the following link
%wheel ALL=(ALL) ALL
Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
Allows members of the users group to mount and unmount the
cdrom as root
%users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
Allows members of the users group to shutdown this system
%users localhost=/sbin/shutdown -h now

0 comments:

Flag counter

free counters