On my Synology Diskstation running DSM 6 only admin users can ssh in consistently (non-admin users have shell as /sbin/nologin in /etc/passwd -- you can set this to /bin/sh to temporarily allow ssh, but on reboot the /etc/passwd file is reset). For this reason some kind of sudo restriction is needed for an account which otherwise exists only to execute e.g. /sbin/poweroff. The following lines in /etc/sudoers worked for me:
# Allow guestx user to remote poweroff
guestx ALL=(ALL) !ALL
guestx ALL=NOPASSWD: /sbin/poweroff
Translation: disallow all commands, then allow only the desired command (without asking for password in this case).
With this configuration sudo asks for the password and then fails for commands other than the whitelisted one:
guestx@ds:~$ sudo su -
Password:
Sorry, user guestx is not allowed to execute '/bin/su -' as root on ds.
guestx@ds:~$
3Although use of sudo can be restricted to particular commands, this can be tricky and requires some trust. If you do not trust the user, then giving them any sudo access is a bad idea. It will either give them root privileges or give them a focused app to attack to get root privileges. Letting someone run
sudo bash
is equivalent in most ways to having the root password. From asudo bash
shell they can run any admin command, install or delete software, delete users and directories, etc. – Paul – 2014-06-11T09:15:54.377@Paul Can u suggest me better and practical options for this ? – None – 2014-06-11T09:44:11.350
First, this is off topic on stack overflow. Better places to ask include superuser, or askubuntu, or linux&unix. First figure out exactly what you want to allow tomc to do. tomc should be allowed to do _____ but not ________. Then ask. Sudo is for commands that require root (admin) priv. He can run bash already without running it as root. – Paul – 2014-06-11T09:50:12.443