Jan 14, 2013

Run a specific command as root without root password

In most Linux/Unix systems users need special privileges to run some command. Specially to stop a service, mount a device likewise. In these scenarios most old Linux/Unix systems used the command 'su -'. But this command requires the root users password. Sharing a root password with other users is not a good practice. Therefore, we need to use some other way to do this task.

'Sudo' command allows non-privileged users to run various commands as a root user without the root password. Root user can specify which user or the user group can run command(s) as root or any other user. Those information will be saved in a configurations file in '/etc/sudoers'. But I strongly advice you not to edit that file directly. Because if there is an error, that will cause a system malfunctioning. The best way to do these changes is to use the 'visudo' command. Though you edit the same file via this command, it will check the syntax before it save those changes to the configurations file permanently.

For an example, think that there is a Linux based proxy server running on your office environment. Normally you do lots of changes upon requests. (It's not a very good practice.) So you want to get the help of a new trainee person to handle the proxy server. But there are few problems. One is you need to restart the proxy service to activate a configuration change. And also you may have some other services running on the same host server. So the server is critical but you need to provide some high level privileges to a non-experienced user.

Now you need to provide some high privileges to the user but only to run some identified commands. According to the example you need to provide privileges to edit the "squid.conf" file, restart the squid service. So you can do this things in many different ways on the "sudoes" file.

Run 'visudo' and go to the line "root  ALL=(ALL) ALL". Add those commands on the next line.

bob squidhost= NOPASSWD: /usr/bin/vim /etc/squid/squid.conf, /sbin/service squid

In the first part you need to set the user name. In this case it's Bob. If you want to set a group you need to add a "%" sign in front of the group name.

Oh the second part you need to specify the hostname.

Then you can add " NOPASSWD: " in between the equal (=) sign and the command to not to ask the password when the user run that command. If you remove that, system will ask user to give the his/her password each time he/she runs a command out of these.

Then you can specify commands that you need to provide to the user. Absolute path is required when specifying commands and configuration files.











No comments:

Post a Comment

Your comments are always welcome ...