On 29 Sep 2020, at 08:33, Niranjan Rao <nhrdls@xxxxxxxxx> wrote: > We have a need to allow certain group of people to perform operations such as start/stop/reload etc. Traditionally these operations are performed using sudo command e.g. sudo service apache2 start. These people don't need full sudo permissions. All they need is apache related permissions. We can tinker with an entry in sudoers.d and grant required permissions - but permissions need to be granted to "service" command Write a command (a simple shell script) that executes the command you want to allow, for example, /usr/local/bin/starta2 => "sudo apache2 start" and grant the user access to that script in the shudders file. Repeat with other commands. Make sure the script(s) is owned by root and has permissions 0700. > Are there any recommended best practices or guides to allow these kinds of granular permissions? My searches so far has revealed commands using sudo. Sudo is the way to do this, but to restrict specific commands to specific options, you have to to a little two-step. I do something like this to allow an unprivilegeduser to start rsnapshot. -- "He uses statistics as a drunken man uses lamp-posts... for support rather than illumination." - Andrew Lang (1844-1912) --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|