Restrict a user’s rights to a specific command with sudo


sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser. However, the later versions added support for running commands not only as the superuser but also as other (restricted) users, and thus it is also commonly expanded as “substitute user do”. Although the latter case reflects its current functionality more accurately, sudo is still often called “superuser do” since it is so often used for administrative tasks.

Unlike the related command su, users must, by default, supply their own password for authentication, rather than the password of the target user. After authentication, and if the configuration file, which is typically located at /etc/sudoers, permits the user access, the system invokes the requested command. The configuration file offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands.

With the following steps, you can restrict a group to run only a specific command with sudo :

  • Create a group
    sudo addgroup myservicegrp
  • Add the user accounts of your choice to the group
    sudo usermod -a -G myservicegrp myuseraccount
  • Edit the /etc/sudoers file and add the following line
    %myservicegrp ALL=(ALL) /usr/sbin/service myservice *

The user account myuseraccount will be able to execute the command sudo service myservice

You can restrict to a single command by changing the line above by the following one:

%myservicegrp ALL=(ALL) /usr/sbin/service myservice start

In that case, myuseraccount will be able to start only the service called myservice

Restrict a group’s rights to a specific command with sudo

Leave a Reply

Your email address will not be published.