How to create an ubuntu user with partial sudoer rights

Am wondering whether it's possible to create a user in ubuntu 11.10 server with custom sudo rights.I mean by that an use who can start and shutdown the box but who can't access /var/www for example or be able to change ip of the box via /etc/network/interfaces and restart the networking and only access specific files both system and custom in /etc/init.d/* .

Such things can be done? thanks

EDIT: This is the first time we are deploying a software on the linux box. so it's a combination of php application running in apache2 with a reporting server in tomcat with other applications bundled in 2 jars. these jars are used as services to their configurations have been added to /etc/init folder. So Ideally we would want to protect the /var/www/ourapp folder, /var/lib/tomcat6/webapps/ourreporting if possible.allow the client user to restart the box, change the ip restart the networking, start and stop our services, apache2, tomcat6 see the logs /var/logs/apache2|tomcat6and that should be all

black sensei

Posted 2012-07-25T11:32:35.777

Reputation: 169

Answers

Check this article to allow the shutdown command for specific users. You can also give that permission to a group according to this howto. I'd suggest to create a group called shutdown and put all users with shutdown permission in that group.

As long as you don't elevate those users to admins (put them in specific groups), they shouldn't have access to /var/www.

Update: according to Bron Gondwana, my following suggestion is dangerous because users could open anything with vi, once it is started as root.

AFAIK, you can create an alias in users ~/.bashrc (or in /etc/bash.bashrc for system-wide settings) like alias viinterfaces="vi /etc/network/interfaces" and give the user access to viinterfaces like described in one of the above articles. I currently don't have a linux on my hand, so you have to test this suggestion or wait for another superuser to confirm or decline that this works.

wullxz

Posted 2012-07-25T11:32:35.777

Reputation: 2 400

this is actually really dangerous. Once they're in vi as root, they can do pretty much anything. – Bron Gondwana – 2012-07-25T11:59:10.787

thanks for your hint. I edited my suggestion to show that it's not save. I'll leavy it there in case someone will come to that thought without reading it here so he'll read that it's not save. – wullxz – 2012-07-25T12:32:39.783

Yes, you can - but it's worth considering what you're trying to protect against.

Most ideal would be hardened binaries that do one task only, and validate their inputs quite carefully.

Certainly things like changing /etc/network/interfaces - you don't want them calling out to an editor as root - you want them generating a new file with their standard editor and then you want that file installed over the top safely.

But note: if they're changing IPs they also need a way to take the interface down and back up again.

And then they can install anything they like as an "up" or "down" script on an interface and whoopdy-yay, they have root.

So basically - it's complex, it's a pile of holes waiting for a creative enough person to exploit. So I ask again - what are you trying to protect against and is this something you can solve at a people level rather than a technical level?

Bron Gondwana

Posted 2012-07-25T11:32:35.777

Reputation: 111

Hello thanks for your response, i edited the post with what we are trying to protect. – black sensei – 2012-07-25T12:57:15.373

What's missing is why you want to solve this technically (actually REALLY HARD) rather than by only allowing people you trust enough not to be complete twonks onto your box. What is the downside of them accessing your www tree? – Bron Gondwana – 2012-07-26T13:26:34.117

Also - backups. Who's doing them, and what level of access do they have? – Bron Gondwana – 2012-07-26T13:27:15.503

open /etc/sudoers file

# /etc/sudoers

# This file MUST be edited with the 'visudo' command as root.

# See the man page for details on how to write a sudoers file.

Defaults env_reset

# Uncomment to allow members of group sudo to not need a password

# %sudo ALL=NOPASSWD: ALL

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification

root ALL=(ALL) ALL

# Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL

write below line inside /etc/sudoers file

yourusername ALL=(ALL) ALL

then you will become sudoer

max

Posted 2012-07-25T11:32:35.777

Reputation: 3 329

in place of yourusername write your name like sensei, but that sensei name account must be present in the system. – max – 2012-07-25T12:16:51.780

1He doesn't want users to become root in general. He wants a user to be able to do a few things as root, not everything. – wullxz – 2012-07-25T12:34:48.580

he will not become root, if he try to see a /etc/sudoers file he will get a error like "Permission Denied" see here

– max – 2012-07-25T13:11:18.907

IIRC, the sudoers manpage tells, that your line yourusername ALL=(ALL) ALL permits user yourusername to run ALL applications as ALL users (including root) on ALL hosts. So, if you would have used visudo, you should've got access to /etc/sudo/sudoers.

– wullxz – 2012-07-25T13:48:07.347

I tried with visudo to open /etc/sudoers file but it's showing like this [suraj@avi ~]$ visudo /etc/sudoers usage: visudo [-c] [-q] [-s] [-V] [-f sudoers] – max – 2012-07-25T13:58:15.763

try it with sudo -u root visudo. That musst work. – wullxz – 2012-07-25T14:01:11.737