22

I would like a user to have sudo rights (without password check) to a couple of shell scripts under a specific directory (in my case, /usr/local/tomcat7/bin), and to nowhere else. What's the simplest way to accomplish this?

Something like this in /etc/sudoers didn't seem to work:

jsmith ALL=(ALL) NOPASSWD: /usr/local/tomcat7/bin
Jonik
  • 2,911
  • 4
  • 37
  • 48
  • Someone hopes these scripts and the directory are writable only by root since otherwise it's a huge security vulnerability. – Faither Dec 19 '21 at 14:46
  • I was searching for this, as I want a user to be able to execute a script using `sudo`, but NOT update the script. Making sure that the directory is writable only via sudo achieves this? – Zach Smith Mar 17 '22 at 09:11

2 Answers2

26

I think you are almost there. put a / at the end of your directory spec

jsmith ALL=(ALL) NOPASSWD: /usr/local/tomcat7/bin/

From the sudoers man page

A directory is a fully qualified path name ending in a '/'. When you specify a directory in a Cmnd_List, the user will be able to run any file within that directory (but not in any subdirectories therein).

user9517
  • 114,104
  • 20
  • 206
  • 289
  • Thanks (to both answerers), got it working! Note to self: need to invoke the scripts directly (e.g. `sudo catalina.sh stop`) - this doesn't work: `sudo sh catalina.sh stop`. – Jonik Jul 27 '11 at 17:17
8

Add a slash '/' to the end of the path.

jsmith ALL=(ALL) NOPASSWD: /usr/local/tomcat7/bin/
h0tw1r3
  • 2,746
  • 18
  • 17