Limit user to execute selective commands (Linux)
How can I limit my user to execute selective commands only. I have a user tomc in tomc group. I need this user to be sudo user and then to have restricted bash. I have tried following code in /etc/sudoers
file, but its not working as user is able to execute other commands like mkdir
, rm
%tomc ALL=/bin/bash,/usr/bin/vim /*
You might be going at this the wrong way. Instead of giving a user a 'restricted' bash shell, you should only give them access to the commands they would need to run as root. For example, in your sudoers file:
tomc ALL=(root) /usr/bin/vim /etc/myapp.conf
tomc ALL=(root) /usr/bin/less /var/log/myapp/*.log
Be careful with allowing users to run vim as root. Vim has a lot of features built-in, like escapes to shell and to the ability to run commands from within vim. Depending on your distribution, you might have sudoedit
available. This works the same as a normal Vim, except it's designed to handle shell escapes and such.
On my Synology Diskstation running DSM 6 only admin users can ssh in consistently (non-admin users have shell as /sbin/nologin in /etc/passwd -- you can set this to /bin/sh to temporarily allow ssh, but on reboot the /etc/passwd file is reset). For this reason some kind of sudo restriction is needed for an account which otherwise exists only to execute e.g. /sbin/poweroff. The following lines in /etc/sudoers worked for me:
# Allow guestx user to remote poweroff
guestx ALL=(ALL) !ALL
guestx ALL=NOPASSWD: /sbin/poweroff
Translation: disallow all commands, then allow only the desired command (without asking for password in this case).
With this configuration sudo asks for the password and then fails for commands other than the whitelisted one:
guestx@ds:~$ sudo su -
Password:
Sorry, user guestx is not allowed to execute '/bin/su -' as root on ds.
guestx@ds:~$