How to allow a normal user or group to run commands as Root in Linux

We all know sudo has an elevated access, that can perform most of the root action. So, we should not allow low end users to gain sudo stand for superuser do access which leads to damage the system badly when they perform wrong action without their knowledge.

In some cases, Development team need elevated access to perform some action as root ,what you will do is those situation ?

Instead of permitting sudo access, we can allow a user to run required commands as root using their own password by adding the user to /etc/sudoers file with following format.

[UserName] [HostName]=[Command1, Command2,..CommandN]

Details about /etc/sudoers Syntax :
UserName : Name of the normal user
HostName : System hostname where user going to perform the action.
Command : List of the commands user allowed to run, you can specify an arguments (including wildcards).

Alternatively we can allow the users to run the commands without password using following format/syntax.

[UserName] [HostName]= [NOPASSWD:] [Command1, Command2,..CommandN]

sudo logs are located at following location, for RPM based systems (RHEL/CentOS/Fedora) /var/log/secure & DEB based systems (Ubuntu/Debian) /var/log/auth.log.

Example-1 : Allow user to run commands with password

In this example, we will show you, how to allow user to run Apache service command with password.

Open /etc/sudoers file and add the user with following format to accomplish this.

# visudo
magi centos.2daygeek.com=/etc/init.d/httpd

We have permitted user magi to run Apache commands like start, stop, and restart and my system host name is centos.2daygeek.com.

We are going to perform the following commands to check whether it’s working or not for user magi.

$ sudo /etc/init.d/httpd stop
$ sudo /etc/init.d/httpd start
$ sudo /etc/init.d/httpd restart

For better understanding, navigate to sudo log file and see, because sudo command has logged everything.

# tail -f /var/log/secure
Jul 20 16:48:24 vps138235 sudo:     magi : TTY=pts/1 ; PWD=/home/magi ; USER=root ; COMMAND=/etc/init.d/httpd stop
Jul 20 16:51:52 vps138235 sudo:     magi : TTY=pts/1 ; PWD=/home/magi ; USER=root ; COMMAND=/etc/init.d/httpd start
Jul 20 16:51:59 vps138235 sudo:     magi : TTY=pts/1 ; PWD=/home/magi ; USER=root ; COMMAND=/etc/init.d/httpd restart

Note : When the user trying to run any other command apart from Apache service, it will throw permission denied error. See below.

$ sudo /etc/init.d/mysqld stop
Sorry, user magi is not allowed to execute '/etc/init.d/mysqld stop' as root on centos.2daygeek.com.

Example-2 : Allow user to run commands without password

In this example, we will show you, how to allow user to execute chown command on root user files (By default normal user can’t change the root user file permission).

Open /etc/sudoers file and add the user with following format to accomplish this.

# visudo
magi centos.2daygeek.com=NOPASSWD: /bin/chown

We have permitted user magi to run chown command as root without asking sudo password. We are going to change the httpd.conf file permission from root to mine.

Before perform action:

# ls -lh /etc/httpd/conf/httpd.conf
-rw-r--r-- 1 root root 34K Jul  7 06:34 /etc/httpd/conf/httpd.conf

We are going to perform the following command to check whether its working or not for user magi.

$ sudo chown magi:magi /etc/httpd/conf/httpd.conf

After action performed:

# ls -lh /etc/httpd/conf/httpd.conf
-rw-r--r-- 1 magi magi 34K Jul  7 06:34 /etc/httpd/conf/httpd.conf

Example-3 : Allow user to run commands with particular arguments

In this example, we will show you, how to allow user to run MySQL service command with particular arguments.

Open /etc/sudoers file and add the user with following format to accomplish this.

# visudo
magi centos.2daygeek.com=/etc/init.d/mysqld restart

We have permitted user magi to run mysql restart command only instead of permitting all like start, stop, and restart.

$ sudo /etc/init.d/mysqld restart
[sudo] password for magi:
Stopping mysqld:                                           [  OK  ]
Starting mysqld:                                           [  OK  ]

Its throwing error, when we are trying to run other MySQL service commands.

$ sudo /etc/init.d/mysqld stop
[sudo] password for magi:
Sorry, user magi is not allowed to execute '/etc/init.d/mysqld stop' as root on centos.2daygeek.com.

Example-4 : Allow user to run various commands

In this example, we will show you, how to allow user to run various commands.

Open /etc/sudoers file and add the user with following format to accomplish this.

# visudo
magi centos.2daygeek.com=/sbin/halt, /bin/kill

We have permitted user magi to run halt & kill commands.

Example-5 : Allow user to run commands with wildcards

In this example, we will show you, how to allow user to run all commands under /bin with wildcards option.

Open /etc/sudoers file and add the user with following format to accomplish this.

# visudo
magi centos.2daygeek.com=/bin/*

We have permitted user magi to run any commands under /bin like chmod, chown, fdisk, etc.,.

Example-6 : Allow Group to run commands with password

In this example, we will show you, how to allow group (group of users) to run commands.

[%][GroupName] [HostName]=[Command1, Command2,..CommandN]

/etc/sudoers Syntax For Group :
% : Allows user in the group to perform action.
GroupName : Name of the Group
HostName : System host name where user going to perform the action.
Command : List of the commands user allowed to run, you can specify an arguments (including wildcards).

Let’s imagine, we have a group called 2daygeek and magi & daygeek are members.

# grep "2daygeek" /etc/group
2daygeek:x:502:magi,daygeek

Open /etc/sudoers file and add the group with following format to accomplish this.

# visudo
%2daygeek centos.2daygeek.com=/etc/init.d/httpd

We have permitted people in group 2daygeek to run Apache Service commands. Check the below log for better understanding.

Jul 21 07:26:27 vps138235 sudo:     magi : TTY=pts/1 ; PWD=/home/magi ; USER=root ; COMMAND=/etc/init.d/httpd stop
Jul 21 07:29:07 vps138235 sudo:  daygeek : TTY=pts/2 ; PWD=/home/daygeek ; USER=root ; COMMAND=/etc/init.d/httpd start

We have performed Apache Stop command from magi & Apache Start command from daygeek.

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

3 Comments on “How to allow a normal user or group to run commands as Root in Linux”

  1. A great article, thank you!

    And how to gain a particular access to any group, not a single user?

Leave a Reply

Your email address will not be published. Required fields are marked *