Centos – allowing sudo to delete certain files

centossudo

I would like to allow to delete certain files in /tmp directory to sudo users. I have added the Allow_Cmnd /usr/sbin/userdel for sudo users but this does not delete all /tmp files associated with the user.

So how shall I tweak the sudoers to allow them to delete certain files in /tmp directory only. I googled a bit but learned that regex may be be application at this. I tried couple of tweaks but its not working for me.

I would like the users to have ability to execute command such as

find /tmp -uid 10002 | grep joeuser | xargs rm -rf

Best Answer

The best thing to do is write a script that does what you want. You can do extensive sanity checking in there, check if the user is doing only what they are allowed, and so on. And then only allow that script to be ran from sudo.

Alternatively you can also allow them to run the command as you described it: /bin/bash -c "find /tmp -uid 10002 | grep joeuser | xargs rm -rf", or even simpler find /tmp -uid 10002 -path \*joeuser\* -delete.

As pointed out already, using xargs this way is not a good idea. You can either use find -print0 | xargs -0, or my personal recommendation is: find /tmp -uid 10002 -path \*joeuser\* -depth -exec rm -rf {} +. If your version of find does not support the +, you may use \; instead.

Related Solutions

Linux – Why does sudo command take long to execute

I asked this question over on SO and it got moved here. That said I no longer have the ability to edit the question as if I owned it, or even accept the correct answer, but this turned out to be the true reason why and how to solve it:

Found here User "rohandhruva" on there gives the right answer:

This happens if you change the hostname during the install process.

To solve the problem, edit the file /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <ADD_YOURS_HERE> 
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <ADD_YOURS_HERE>

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Best Answer

Related Solutions

Linux – Why does sudo command take long to execute

Ssh-agent forwarding and sudo to another user

Related Topic