Linux – Giving Command Access to Non-Root User Without Sudo

linuxsudo

I want to give non-sudo access to a non-root user on my machine, there is a user dns-manager, his only role is to run all the BIND commands(rndc, dnssec-keygen) etc.

Now everytime he has to run a command, he types,

sudo rndc reload

Is there a way I can get rid of this sudo, but only on a particular set of commands(and only for dns-manager)?

Best Answer

If I understand your comments correctly, the issue here is that the command will be issued through a connection that does not have any ability to enter the password that sudo defaults to requesting. Also, in many OS distributions, sudo will default to requiring a TTY - which this program may not have.

However, sudo is able to have a very fine-grained permissions structure, making it possible to allow one or more users to issue one particular command without password and TTY. Below, I'll show three ways to configure this for your needs. Whichever one you choose, the user will now be able to issue the command sudo rndc reload without having to enter a password.

(Also, this may be unnecessary, but... please remember to make a backup copy of your sudoers file before editing it, to keep a shell where you're root open in case you need to revert to the backup, and to edit it using visudo instead of sudo vi /etc/sudoers. Hopefully these precautions will be unnecessary, but... better to have them and not need them than the reverse!)

1. If you don't want to require a TTY for any requests

The easiest way to get rid of the TTY requirements (if one exists) is to make sure that the line beginning with Defaults in /etc/sudoers does not contain the word requiretty - instead, it should contain !requiretty. However, if you do this, it means that no sudo command will require a tty!

You will also need to add the line

rndcuser ALL = (root) NOPASSWD: /path/to/rndc reload, /path/to/dnssec-keygen, /path/to/other/program

2. If you want to require a TTY for all users except this one

This can be done by setting a default for this one user, like this:

Defaults:rndcuser        !requiretty
rndcuser ALL = (root) NOPASSWD: /path/to/rndc reload, /path/to/dnssec-keygen, /path/to/other/program

3. If you want to requre a TTY for all commands except this one command by this one user

This is a bit more complex, due to the syntax of the sudoers file. You'd need to create a command alias for the command, and then set a default for that command alias, like so:

Cmnd_Alias RNDC_CMD = /path/to/rndc reload, /path/to/dnssec-keygen, /path/to/other/program
Defaults!RNDC_CMD !requiretty
rndcuser ALL = (root) NOPASSWD: RNDC_CMD

Related Solutions

Linux – chown to a user I can sudo to

You could do this directly with sudo. When I first started thinking about how to do that, I quickly realized that the number of chowns you would have to specify for n users would be n^2 if you try to map them directly. But you can cut this down to 2n if you require the user to take ownership of each file before re-assigning it. So, your sudoers file might look like this:

User_Alias CHOWNADMIN1 = jane
Cmnd_Alias CHOWNUSR1 = /bin/chown --from widget-dev jane *, /bin/chown --from jane widget-dev *
Cmnd_Alias CHOWNUSR2 = /bin/chown --from releng jane *, /bin/chown --from releng amy *

CHOWNADMIN1     ALL= NOPASSWD: CHOWNUSR1, CHOWNUSR2

With this setup, Jane can now do a two-step process to change ownership:

chown --from widget-dev jane /tmp/foofile
chown --from jane releng /tmp/foofile

Notice that you must restrict this permission with --from, or you open up the possibility of granting the user "jane" the permission to take ownership of files like /etc/shadow or /root/.ssh/id_rsa (that could be bad).

Of course, you could now write a very simple script to automate the chowns. Perhaps something like the following, but with some error checking:

#!/bin/bash
FROM=$1
shift
TO=$1
shift

sudo chown --from $FROM $USER $*
sudo chown --from $USER $TO $*

And now Jane can run "rchown releng widget-dev /tmp/foofile" or similar.

Linux – Cannot resolve host as non-root user

That's a lot of rules and quite restrictive. Find the rule creating this :

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 0

To also match your "normal" user id or/and apache user id and adapt it to accept outgoing UDP traffic port 53.

For instance for user "apache", right after the previous rule add :

/sbin/iptables -A OUTPUT -p udp -m owner --uid-owner apache --dport 53 -j ACCEPT