Sometimes, you might want to grant a user sudo privileges for only specific commands instead of full administrative access. This guide will show you how to do that easily. We will also provide an example and a test scenario to ensure it works correctly.
Keeping security in mind, you should allow only required permission that a user required to do there work. To allow command-specific sudo privileges to a user to run only certain commands with superuser rights. This can enhance security by limiting the user’s abilities.
Note: Be careful while editing the sudoers file. Mistakes in this file can prevent you from using sudo, thereby locking you out of performing administrative tasks on the system.
Steps to Grant Sudo Privileges for Specific Commands
Follow these steps to grant a user sudo privileges for specific commands:
- Open the sudoers file: Use
visudo
to safely edit the sudoers file:sudo visudo
- Add Command-Specific Entry: Add a line specifying the user and the command they are allowed to run. For example, to allow the user
tecadmin
to reload the Apache service:tecadmin ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload apache2.service
This line allows the user
tecadmin
to runsystemctl reload apache2.service
without needing a password. - Save and Exit: Save the changes and exit
visudo
. Typically, this is done by pressingCtrl+X
, thenY
, and thenEnter
.
Example: Granting Sudo Privileges for Specific Command
Let’s go through an example to grant sudo privileges to the user tecadmin
for reloading the Apache service:
- Edit the sudoers file:
sudo visudo
- Add the Entry:
tecadmin ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload apache2.service
- Save and Exit: Save the changes and exit
visudo
. - Switch to the User: To ensure the user has the correct sudo privileges, simply switch to user with su command.
su - tecadmin
- Run the Specific Command:
sudo /usr/bin/systemctl reload apache2.service
If
tecadmin
has the correct sudo privileges, the command will execute without asking for a password.
If the command executes successfully, it means the user tecadmin
has been granted sudo privileges for the specific command correctly.
See the below screenshot:
You will notice that the “tecadmin” is able to reload Apache service as we configured in Sudoers but he is not able to restart the same service. That means the configuration is working properly.
Additional Command Example
Let’s add another example to allow the user tecadmin
to update the package list:
- Edit the sudoers file:
sudo visudo
- Add the Entry:
tecadmin ALL=(ALL) NOPASSWD: /usr/bin/apt update
- Save and Exit: Save the changes and exit
visudo
. - Switch to the User: The following command switches you to the user
tecadmin
.su - tecadmin
- Run the Specific Command:
sudo apt update
If
tecadmin
has the correct sudo privileges, the command will execute without asking for a password.
If the command executes successfully, it means the user tecadmin
has been granted sudo privileges for the specific command correctly.
Conclusion
Granting sudo privileges for specific commands in Linux is a great way to enhance security while still providing necessary access. By following this guide, you can easily set up command-specific sudo privileges for users on your system. Always test the configuration to ensure it works as expected.