Yes, sudo can be configured to allow specific users or groups to execute only certain commands with elevated privileges. This is done by editing the /etc/sudoers file, which defines the permissions for sudo.
Here’s how you can configure sudo for specific commands:
-
Edit the sudoers file: Use the
visudocommand to safely edit the/etc/sudoersfile. This command checks for syntax errors before saving changes.sudo visudo -
Define User Permissions: You can specify which commands a user or group can run. The syntax is as follows:
username ALL=(ALL) /path/to/commandFor example, to allow the user
jokerto run thesystemctl restart apache2command:joker ALL=(ALL) /bin/systemctl restart /usr/bin/apache2 -
Allow Group Permissions: You can also allow a group to run specific commands. For example, to allow all users in the
admingroup to run theshutdowncommand:%admin ALL=(ALL) /sbin/shutdown -
Multiple Commands: You can specify multiple commands by separating them with commas:
joker ALL=(ALL) /bin/systemctl restart /usr/bin/apache2, /usr/bin/apt-get update -
No Password Prompt: If you want to allow a user to run a command without being prompted for a password, you can add
NOPASSWD:before the command:joker ALL=(ALL) NOPASSWD: /bin/systemctl restart /usr/bin/apache2
By configuring sudo in this way, you can enhance security by limiting the commands that users can execute with elevated privileges, reducing the risk of accidental or malicious changes to the system.
