1

Is it possible to use sudo or some other mechanism to allow a user to only have access to running commands under another specific user account? (i.e. not root?)

I have to provide some level of administrative access over a web tool running under the shell-less account www-data. But on occasion it might be useful for them to be able to run programs as 'www-data' for doing administrative work on the web server. I'm not sure how to allow that while restricting their access to root or other services.

Improve this question
3
  • 1
    Have www-data own those programs, and enable the setuid bit on them. Commented Nov 29, 2017 at 18:13
  • OK, but what programs? The [need for] access isn't limited to a single command but to a set of files/directory tree and a handful of services (http/mysql/php). If they needed to restart the server, I could create a script and set-uid it, but I don't know what other things they might need to do. (run tar, create files, copy files, move files, etc) Commented Nov 29, 2017 at 18:15
  • I was merely referring to the programs to which you referred in the question. If they are system tools, then this is what sudo already exists to handle. Commented Nov 29, 2017 at 18:26

1 Answer 1

Reset to default
3

Yes - it is possible to do this with sudo. From the sudoers man page:

A Runas_Spec sets the default for the commands that follow it.  What this
 means is that for the entry:

 dgb     boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm

 The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm—but only as
 operator.
Improve this answer
1

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.