Page 1 of 1

Hard code command permission in /etc/sudoers

Posted: 2018/06/20 16:33:23
by hoanggeneral
I am trying to create a user account on my CentOS 6.6 machine with the following permissions only:
- Be able to login to SSH console
- Be able to copy the file /tmp/callTom.call to /tmp/callTom_now.call.

Code: Select all

cp /tmp/callTom.call /tmp/callTom_now.call
- Be able to change the owner of the file /tmp/callTom_now.call.

Code: Select all

chown asterisk:asterisk callTom_now.call
- Be able to move the file /tmp/callTom_now.call to /var/spool/asterisk/outgoing/.

Code: Select all

mv /tmp/callTom_now.call /var/spool/asterisk/outgoing/
I do not want to give the user account permission to do anything else.

Is it possible to hard code specific commands, which this user account can do, in the /etc/sudoers file?

Thank you.

Re: Hard code command permission in /etc/sudoers

Posted: 2018/06/20 19:29:08
by TrevorH
First off, you need to yum update as 6.6 is way out of date and riddled with security vulnerabilities. The latest at the present time is 6.9 and RHEL 6.10 was released the day before yesterday and will be available for CentOS soon.

A normal user probably doesn't need any special permission to copy one file from /tmp to another file in /tmp. All of /tmp is writable by anyone (and if it isn't then it should be).

The easiest way to do what you want is not to use sudo at all but to add your user to the asterisk group.

But, yes, it's possible to specify a list of the exact commands you want a user to be able to perform in /etc/sudoers. Pretty sure there are even examples of that in the supplied file.

Re: Hard code command permission in /etc/sudoers

Posted: 2018/06/20 19:54:00
by hoanggeneral
In security best practice, allow user just enough right to do what the user need to do.
With that being said, within the /etc/sudoers how do I block the user account from executing all commands except for cp, chown and mv?

Re: Hard code command permission in /etc/sudoers

Posted: 2018/06/20 20:24:59
by TrevorH
By not specifying anything else in the set of commands they're allowed to use. Don't use wildcards in sudoers, always use full filenames and paths.