Letting a user sudo only specific commands ?

[michaelsanford]

I'm going to be temporarily donating one of my Mac's to my company for a conference. Some of the commands they'll run require root privelages.

I don't, however, want them to be able to sudo anything they want.

The man file for sudoers was a little cryptic for me, maybe I'm just tired.

So, how do I add a line to /etc/sudoers that will allow them only to issue, say sudo /Applications/sc_trans_linux ?

 

[rbb]

As root, run visudo, that will allow you to edit the suders file. Be very careful, read the man pages for it. If you mess it up, you can not sudo. I would have one terminal window that is logged in as root, then edit in another, and test in a third.

 

[michaelsanford]

Actually on Darwin you don't need to use visudo.

Perhaps I wasn't specific enough. To add a user to sudoers and allow them to run all apps you would add
user_name ALL=(ALL) ALL
%group_name ALL=(ALL) ALL

What I want to do is something like :
%conference /Applications/sc_trans_linux

 

[rbb]

Ok, apparently you did not read the man page. Read the man page for sudoers. It really helps.

 

[scruffy]

Really - the sudoers man page is clear, read the manpage.

Also, unless you are allergic to vi, it probably is a good idea to use visudo - when you are done editing the file, it automatically sends the appropriate signals to the appropriate processes, to tell them the file is updated - saves you tracking down the processes yourself.

 

[michaelsanford]

Come now, you can't tell me that
User Specification
User_Spec ::= User_list Host_List '=' Cmnd_Spec_List \
(':' User_Spec)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
Runas_Spec ::= '(' Runas_List ')'

isn't at least a little discouraging to someone to who doesn't recognize any of that.

In any event, farther down the manpage I found some examples. After a while I came up with this, which seems to work :

%conferance ALL = (root) NOPASSWD: /Applications/sc_trans_macosx

User from conferance from all hosts can run sc_trans_macosx as root with no password, and can't run any other apps ?

Now I'm left with two other issues:
1. I can't seem to get the user to PASSWD for anything else, since adding a PASSWD: ALL seems to override the NOPASSWD directive.

2. I've thought of a convenience application for this : force a password if I'm logged in over SSH but not if I'm local but I predict I'll have a similar issue with the host directive.

My problem is that this is mostly trial and error, and since sudo takes some time to release, it takes forever to test this.

 

[scruffy]

sudo -k
will kill the sudo timestamp and set you back to having to reauthenticate immediately.

Wow, that is ugly - I must have been remembering the sudo manpage from a Linux distro or something. Sorry...

You can also negate things - so you could say
%conference ALL = (root) PASSWD: ! /Applications/sc_trans_macosx
meaning 'members of group conference, on all machines, may run anything except /Applicaitons/sc_trans_macosx, as root, after entering a password'

 

[g/re/p]

Actually on Darwin you don't need to use visudo.

Izzat so?

/etc $sudo cat /etc/sudoers
# sudoers file.
#
#This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL

 

[rbb]

From the man page:

The sudoers file should always be edited by the visudo command which
locks the file and does grammatical checking. It is imperative that
sudoers be free of syntax errors since sudo will not run with a syntac-
tically incorrect sudoers file.

The sudoers man page is not that bad. Its better than alot of others that I have read.

 

[michaelsanford]

g/re/p, have you tried using pico ? It works. That's must be a holdover from another linux distro, like RedHat, which does mandate visudo, which you don't have to use in Mac OS X; I've *never* used visudo before.

rbb, I agree that the manpage isn't THAT bad, but for me, it's bad enough to reduce intelligibility. I didn't, however, realise that it did syntax checking.

I'm just a 'power user' not a sysadmin, so it's hard to justify spending time to learn vi when I have two (non computer related) degrees and a job to worry about But I agree, it does seem to be very very useful...so maybe I'll fink vilearn again and actually run it.

Thanks scruffy, and everyone who replied !

 

[g/re/p]

that cat /etc/sudoers is from my powermac running 10.3.6

*I learned on vi - i have used pico and emacs and did not really care for either of them.

(there is a vi clone called Elvis - lol)

 

[scruffy]

the way the visudo, vipw, and related commands work (if I recall right) is to make a temporary copy of the file, work on that, and then when you exit (maybe, I'm not sure) do a basic sanity check of the file before installing it. Then if it passes, they replace the real file.

In a single user system, it's not such a big deal maybe, but on a multi user system it is surely necessary...

Oh - and you can
export EDITOR=emacs
or whatever you want, before running visudo or any other command that will invoke the editor - those commands will generally only default to vi if the EDITOR environment variable isn't set.