In this guide, you are going to learn how to run only specific commands with sudo in Linux.
Our previous guide covered how to add user to sudo group to enable them to execute the commands with elevated privileges.
How to Add Users to sudo group in Linux
So it is possible to enable a user to run specific commands only with sudo in Linux. This can be done by modifying the /etc/sudoers
file or by adding user specific sudoers configuration file under the /etc/sudoers.d
directory.
For example, to allow a user called john to restart Network Manager as user root on all hosts, edit the sudoers file and add the line below.
visudo
To edit sudoers file, you need to be root user or have sudo privileges.
sudo visudo
Next, add the line below;
john ALL=(root) /bin/systemctl restart NetworkManager
To run specific commands with sudo as any target user, for example to allow user john to restart only Apache service using sudo;
john ALL=(ALL) /bin/systemctl restart apache2
Note that while adding sudo privileges for the user, it is more safer to put the user specific sudo configuration under the /etc/sudoers.d
directory for example;
NOTE: Be extra cautions when echoing commands. You can easily mess up and loose sudo access to your system. Unless the root user is allowed to login, you can try to use echo.
echo "john ALL=(root) /bin/systemctl restart apache2" > /etc/sudoers.d/john
Always be sure to confirm if the syntax of the sudo configs is okay when you echo commands;
visudo -c /etc/sudoers.d/john
Ensure the output is Ok. Otherwise, fix any would be errors.
/etc/sudoers.d/john: parsed OK
To check the validity of all sudoers config files;
visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/README: parsed OK
/etc/sudoers.d/eliza: bad permissions, should be mode 0440
/etc/sudoers.d/john: parsed OK
To allow a specific user to run multiple specific commands with sudo;
john ALL=(ALL) /path/to/command1, /path/to/command2, /path/to/command3
Replace /path/to/command
with the full path of the commands to run and the arguments (if any).
You can find the full path of the command using which
command. For example to locate the full path of the command, command1;
which command1
You can then run these commands by prefixing them with sudo as in;
sudo systemctl restart NetworkManager
sudo systemctl restart command1
For all these commands, you will be prompted to the password for user with which you run these commands as.
Want to run some commands sudo without being prompted for password?
Run sudo Commands Without a Password
sudo has an option called NOPASSWD
that can be used to specify commands that can be run as sudo without being prompted for the password.
For example, to enable user called john
to restart Network Manager on an Ubuntu system as any user without being prompted for password, at the line below to sudoers file.
john ALL=(ALL) NOPASSWD: /bin/systemctl restart NetworkManager
To restart NetworkManager as any target user and group, add the line below to sudoers file.
john ALL=(ALL:ALL) NOPASSWD: /bin/systemctl restart NetworkManager
You can simply put this line to user specific sudoers file as follows;
visudo -f /etc/sudoers.d/john
john ALL=(ALL) NOPASSWD: /bin/systemctl restart NetworkManager
To restart the Network Manager with sudo;
systemctl restart NetworkManager
To run all sudo commands without password prompt as any user,group on all hosts, enter the line below in sudoers file.
username ALL=(ALL:ALL) NOPASSWD:ALL
In this guide, you have learnt how to;
- run only specific commands using sudo in Linux
- run sudo commands without a password
Other tutorials;
How to Add Users to sudo group in Linux
Hi,
Very useful article
Thanks a lot
I’m guessing I did something wrong, but trying to follow this advice:
‘Note that while adding sudo privileges for the user, it is more safer to put the user specific sudo configuration under the /etc/sudoers.d directory for example;
echo “john ALL=(root) /bin/systemctl restart apache2” > /etc/sudoers.d/john’
Wrecked my server as I get a parse error on sudo commands now.
yeah, I almost learned it the hard way too… Luckly I had set a root password. So all I had to do was “su root” and then edit/fix the sudoers{,.d/*} file.
echoing to the files in this case is a terrible idea. The correct way of doing it is using the visudo comand, which checks and parses the file before saving them, and I hope the writer fixes it it the article.
#opens /etc/sudoers file
sudo visudo
# specifies the file to be opened.
sudo visudo -f /etc/sudoers.d/john
Very true!