give user right to some root command with sudo

xkcd lustration of sudo command

Sudo is command to alter user privilege, sudo shall given to trusted user only. In ubuntu first user have this right. To use sudo user need to insert their password. All the sudo rule written on sudoers file. Here is the default content of ubuntu sudoers file.

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

There is 3 similar lines there :

root        ALL=(ALL:ALL) ALL
%admin      ALL=(ALL) ALL
%sudo       ALL=(ALL:ALL) ALL

3 of it have the same pattern, here is the full pattern

[user|group] host=([altered to user:group])NOPASSWD:[comma separated commands or alias]

NOPASSWD mean user doesn't need any password to call specified command. Here is customized sudoers file for illustration.

# /etc/sudoers
# This file MUST be edited with the 'visudo' command as root.
# See the man page for details on how to write a sudoers file.
# Defaults

Defaults        !lecture,tty_tickets,!fqdn

# Uncomment to allow members of group sudo to not need a password
# %sudo ALL=NOPASSWD: ALL

# Host alias specification

# User alias specification

# Cmnd alias specification
Cmnd_Alias USERS  = /usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/users
Cmnd_Alias CH     = /bin/chown,/bin/chmod
Cmnd_Alias USM    = USERS,CH

# User privilege specification
root    ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

usm localhost=(root)NOPASSWD:USM

Fom the example above, user usm have access to USM alias command as a root user without password.

I still find the source. i got this from somewhere forgotten place.

Comments