Instead of granting a user global root privileges or - still worse - giving away the root password, you may consider "sudo" for a limited set of commands. You can combine this with ACL by allowing the user to modify certain files only - again without having to give too lenient global file permissions.

Let's assume you want to grant the user "gutzmtho" the ability to modify a specific Apache configuration file and restart the HTTP server.

Step-by-step guide

There are several steps involved: modify the sudo configuration, add a user specific sudo config file, and add an ACE (access control entry) to the ACL for the file in question.

  1. Modify / check the sudo configuration in /etc/sudoers
    Instead of adding specific information to the main sudo configuration file in /etc/sudoers, you should add specific config files to /etc/sudoers.d. This way you can leave /etc/sudoers alone, and it's much easier to review the settings.
  2. Add a new user specific sudo configuration file to /etc/sudoers.d. In our example we enter: 
    1. vi /etc/sudoers.d/gutzmtho # the file name must not contain a "."
    2. User "gutzmtho" shall be allowed to run the commands "systemctl status httpd", "systemctl reload httpd" and "systemctl restart httpd". The first command is not restricted by default, so we can ignore it. The line to be added is:
      gutzmtho ALL = NOPASSWD: /bin/systemctl reload httpd, /bin/systemctl restart httpd
  3. Now we can test if sudo works as expected:
    su - gutzmtho
    sudo systemctl reload httpd
  4.  Now we want to allow the user to modify the file /etc/httpd/conf.d/php.conf:
    setfacl --modify=user:gutzmtho:rwx /etc/httpd/conf.d/php.conf 

The same can be done for user groups:

  1. usermod -G wheel gutzmtho # effective after the next login
  2. vi /etc/sudoers.d/wheel
    %wheel ALL = NOPASSWD: /bin/systemctl reload httpd, /bin/systemctl restart httpd
  3. setfacl --modify=group:wheel:rwx /etc/httpd/conf.d/php.conf

 

In our example we are using the keyword "NOPASSWD: "; this way the user doesn't have to enter the password on entering the sudo command.

You can review the ACL with: getfacl /etc/httpd/conf.d/php.conf. A specific ACE can be remove with a command like setfacl --remove=user:gutzmtho /etc/httpd/conf.d/php.conf.

For more information see the man pages at