I would like to create a new user on some of my Debian/Ubuntu hosts that is able to update the server using the commands apt-get update and apt-get dist-upgrade, but I do not wan't to give them full sudo access to be able to do anything else. Is this possible? Perhaps there is a way to create a script that they can't edit but can execute, which will get executed as the root user?
Asked
Active
Viewed 7.6k times
27
Programster
- 2,157
- 9
- 23
- 35
-
2See `man sudoers` and `sudo cat /etc/sudoers`. – goldilocks Jul 12 '15 at 12:19
-
Thanks @goldilocks I had always thought the sudoers file was just to allow people to be granted root access before. – Programster Jul 12 '15 at 12:52
1 Answers
42
Sudo and the /etc/sudoers file aren't just for granting users full root access.
You can edit the sudoers file with an existing sudo user, with the command sudo visudo
You can group the commands that you want to grant access to like below:
Cmnd_Alias SHUTDOWN_CMDS = /sbin/poweroff, /sbin/halt, /sbin/reboot
Cmnd_Alias UPDATE_COMMANDS = /usr/bin/apt-get
You can then give a specific user privileges to those commands like so:
[User's name] ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS, UPDATE_COMMANDS
This can be seen in the image below
:
Now if you try sudo apt-get update or sudo apt-get dist-upgrade those commands will execute without asking for a password. If you want to be prompted for a password, remove the NOPASSWD bit where you grant a user access to command groups.
If you try to run anything else as the sudo user, you will be prompted for a password and fail.
References
Programster
- 2,157
- 9
- 23
- 35
-
8Note that giving users the permission to run `apt-get`, or even merely `apt-get upgrade`, **gives them full root access**! Many upgrade scripts allow the interactive user to execute a shell, for example when a configuration file has changed. To be safe, restrict `apt-get` to certain commands, and force it to be non-interactive. See [Is it safe for my ssh user to be given passwordless sudo for `apt-get update` and `apt-get upgrade`?](http://unix.stackexchange.com/questions/205385/is-it-safe-for-my-ssh-user-to-be-given-passwordless-sudo-for-apt-get-update-an) – Gilles 'SO- stop being evil' Jul 12 '15 at 21:22
-
-