Instead of granting a user global root privileges or - still worse - giving away the root password, you may consider "sudo" for a limited set of commands. You can combine this with ACL by allowing the user to modify certain files only - again without having to give too lenient global file permissions.
Let's assume you want to grant the user "gutzmtho" the ability to modify a specific Apache configuration file and restart the HTTP server.
There are several steps involved: modify the sudo configuration, add a user specific sudo config file, and add an ACE (access control entry) to the ACL for the file in question.
- Modify / check the sudo configuration in
Instead of adding specific information to the main sudo configuration file in /etc/sudoers, you should add specific config files to
/etc/sudoers.d. This way you can leave
/etc/sudoersalone, and it's much easier to review the settings.
- Add a new user specific sudo configuration file to /etc/sudoers.d. In our example we enter:
vi /etc/sudoers.d/gutzmtho #the file name must not contain a "."
- User "gutzmtho" shall be allowed to run the commands "
systemctl status httpd", "
systemctl reload httpd" and "
systemctl restart httpd". The first command is not restricted by default, so we can ignore it. The line to be added is:
gutzmtho ALL = NOPASSWD: /bin/systemctl reload httpd, /bin/systemctl restart httpd
- Now we can test if sudo works as expected:
su - gutzmtho
sudo systemctl reload httpd
- Now we want to allow the user to modify the file
setfacl --modify=user:gutzmtho:rwx /etc/httpd/conf.d/php.conf
The same can be done for user groups:
usermod -G wheel gutzmtho# effective after the next login
%wheel ALL = NOPASSWD: /bin/systemctl reload httpd, /bin/systemctl restart httpd
setfacl --modify=group:wheel:rwx /etc/httpd/conf.d/php.conf
In our example we are using the keyword "NOPASSWD: "; this way the user doesn't have to enter the password on entering the sudo command.
You can review the ACL with:
/etc/httpd/conf.d/php.conf. A specific ACE can be remove with a command like
setfacl --remove=user:gutzmtho /etc/httpd/conf.d/php.conf.
For more information see the man pages at
- Sudo manual: http://www.sudo.ws/man/sudo.man.html
- Sudo configuration manual: http://www.sudo.ws/man/sudo.conf.man.html
- Sudoers manual: http://www.sudo.ws/man/sudoers.man.html
- setfacl: http://linux.about.com/library/cmd/blcmdl1_setfacl.htm