Hard code command permission in /etc/sudoers

Support for security such as Firewalls and securing linux
Post Reply
hoanggeneral
Posts: 6
Joined: 2017/03/30 19:47:09

Hard code command permission in /etc/sudoers

Post by hoanggeneral » 2018/06/20 16:33:23

I am trying to create a user account on my CentOS 6.6 machine with the following permissions only:
- Be able to login to SSH console
- Be able to copy the file /tmp/callTom.call to /tmp/callTom_now.call.

Code: Select all

cp /tmp/callTom.call /tmp/callTom_now.call
- Be able to change the owner of the file /tmp/callTom_now.call.

Code: Select all

chown asterisk:asterisk callTom_now.call
- Be able to move the file /tmp/callTom_now.call to /var/spool/asterisk/outgoing/.

Code: Select all

mv /tmp/callTom_now.call /var/spool/asterisk/outgoing/
I do not want to give the user account permission to do anything else.

Is it possible to hard code specific commands, which this user account can do, in the /etc/sudoers file?

Thank you.
Earth is our home. Preserve it!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Hard code command permission in /etc/sudoers

Post by TrevorH » 2018/06/20 19:29:08

First off, you need to yum update as 6.6 is way out of date and riddled with security vulnerabilities. The latest at the present time is 6.9 and RHEL 6.10 was released the day before yesterday and will be available for CentOS soon.

A normal user probably doesn't need any special permission to copy one file from /tmp to another file in /tmp. All of /tmp is writable by anyone (and if it isn't then it should be).

The easiest way to do what you want is not to use sudo at all but to add your user to the asterisk group.

But, yes, it's possible to specify a list of the exact commands you want a user to be able to perform in /etc/sudoers. Pretty sure there are even examples of that in the supplied file.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

hoanggeneral
Posts: 6
Joined: 2017/03/30 19:47:09

Re: Hard code command permission in /etc/sudoers

Post by hoanggeneral » 2018/06/20 19:54:00

In security best practice, allow user just enough right to do what the user need to do.
With that being said, within the /etc/sudoers how do I block the user account from executing all commands except for cp, chown and mv?
Earth is our home. Preserve it!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Hard code command permission in /etc/sudoers

Post by TrevorH » 2018/06/20 20:24:59

By not specifying anything else in the set of commands they're allowed to use. Don't use wildcards in sudoers, always use full filenames and paths.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply