4

Is there a way to restrict the passwordless sudo commands to a set of "sub-commands".

I am not looking for the answer to How do I run specific sudo commands without a password? I want to know if I it is possible to specify "sub-commands".

For example if I created /etc/sudoers.d/foo with contents...

bar ALL = (root) NOPASSWD: /bin/systemctl

User bar would be able to run any systemctl commands without a password.

However, if I only want systemctl status <service> and systemctl restart <service> to be run without a password, is there a way to do that?

I tried...

bar ALL = (root) NOPASSWD: /bin/systemctl/restart

Just to see if it might work. It does not work.

If this restriction is possible, I would also like to know how to find the absulute path of a "sub-command".

Edit

I also tried...

$ which systemctl restart

But that only output /bin/systemctl

Daniel Morell
  • 141
  • 5
  • The "sub command" is commonly referred to as an argument or a parameter to the actual command. – WinEunuuchs2Unix Oct 21 '19 at 17:17
  • @WinEunuuchs2Unix Thanks! thats what I would normally call it too, but I looked at the manpage and it kept calling them 'commands' so that threw me off a little. – Daniel Morell Oct 21 '19 at 17:21
  • Systemd folks like to create their own little world I guess. – WinEunuuchs2Unix Oct 21 '19 at 17:24
  • Dumb idea maybe? Create a script with the exact command, let's say restart-service-x with content systemctl restart x, and give it the proper permissions. – schrodingerscatcuriosity Oct 21 '19 at 17:37
  • @guillermochamorro That crossed my mind. However, wrapping a bunch of commands in bash scripts just to handle permissions is not flexible and it is a lot of work. That being said, it is the option I will likely chose if I a more direct method is not possible. – Daniel Morell Oct 21 '19 at 18:49
  • @guillermochamorro but they will still have access to systemctl and if they have a terminal they could type anything manually.The only way I can think of is your own homebrewed security system with each user name and which "subcommand" they are allowed to use. – WinEunuuchs2Unix Oct 21 '19 at 22:40
  • You could take a look at how the different commands are handled now. For example, you can run status on a system service without sudo, but not restart. On some distributions you can run poweroff as regular user, while some require root privileges. And the password prompt looks like polkit, so I'd bet there is already a configurable security system for exactly that purpose; you only have to find it. – danzel Oct 22 '19 at 08:19
  • There is an example in the archlinux wiki. If there is no answer tonight I'll post one. – danzel Oct 22 '19 at 08:28
  • @danzel That appears to be exactly what I am looking for. – Daniel Morell Oct 22 '19 at 20:53
  • @D.Morell unfortunately, I just read that Ubuntu still ships with policykit 0.105 (for various, complicated reasons), which is the last version before the javascript rules were implemented. (Actually, the switch from pkla based rules to javascript rules seems to be a major reason why debian still maintains 0.105). You can, however, try to at least achieve some of your goals using pkla files. – danzel Oct 22 '19 at 21:29

0 Answers0