The sudo command allows users to run commands with root privileges. This can be a powerful tool, but it can also be a security risk if not used carefully. One way to mitigate this risk is to allow sudo users to run particular authorized commands. In this guide, we will show you how to restrict sudo users to run specific commands with sudo privileges in Linux. We will also show you how to revert sudoers file back to the original configuration.
Table of Contents
Restrict Sudo Users to Run Authorized Commands
To restrict sudo users to ONLY run authorized commands, you can use the sudoers configuration file. On most Linux distributions, the sudoers file is located at /etc/sudoers file or /etc/sudoers.d/ directory.
Heads Up: Before making changes to the sudoers file, it's crucial to use caution, as incorrect configurations can lead to system issues. Always use the visudo command to edit the sudoers file, as it performs syntax checks before saving changes.
Here's how you can restrict sudo users to run specific commands:
1. It's highly recommended to backup the sudoers file before making any changes or edits to it. To backup sudoers file, run:
$ sudo cp /etc/sudoers /etc/sudoers.bak
By backing up the sudoers file, you can easily revert to a known-working configuration if errors occur during editing or in case of security incidents.
2. Open the sudoers file for editing using visudo command:
$ sudo visudo
3. Scroll down to the line where it says:
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
The above line means that members of the "sudo" group are allowed to execute any command with sudo privileges on any host and as any user or group. Essentially, it grants full sudo access to the users in the "sudo" group.
4. To allow the sudo users to execute only a specific command, for example apt, modify the line as shown below.
%sudo ALL=(ALL:ALL) /bin/apt
You can also specify multiple allowed commands for a user by separating them with commas:
%sudo ALL=(ALL:ALL) /path/to/allowed/command1,/path/to/allowed/command2
5. If you want to allow the user to run the allowed commands without entering a password, you can append NOPASSWD: before the command path. However, be cautious when using this option, as it might reduce the security of your system.
%sudo ALL=(ALL) NOPASSWD: /path/to/allowed/command
6. Once you've made the necessary changes, save and close the sudoers file.
7. Verify the syntax of your sudoers file before exiting visudo. If there are any syntax errors, visudo will prompt you to correct them.
After following these steps, all the members of the sudo group will only be able to execute the allowed commands with sudo privileges. Running all other commands with sudo privilege will be denied, even if the user is a member of sudo group.
Let us verify it by running the cat command with sudo privilege.
$ sudo cat /etc/sudoers
Sample Output:
[sudo] password for ostechnix: Sorry, user ostechnix is not allowed to execute '/usr/bin/cat /etc/sudoers' as root on debian12.ostechnix.lan.
Even though, the user 'ostechnix' is a member of sudo group, he can't run sudo cat /etc/sudoers command. Because, we restricted him to run only the apt command with sudo privilege.
Let us list all of the commands that the user ostechnix is allowed to run with sudo privileges.
$ sudo -lU ostechnix
[sudo] password for ostechnix:
Matching Defaults entries for ostechnix on debian12:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User ostechnix may run the following commands on debian12:
<strong><mark>(ALL : ALL) /bin/apt</mark></strong>
As you can see in the above output, the user ostechnix can run only apt command with sudo privilege.
Let us check if he can able to the apt command with sudo privilege.
$ sudo apt update
Yes, he has no problem on running the allowed command, which is apt in this case, with sudo rights. The user can also run all the sub-commands of apt, for example apt upgrade, apt full-upgrade etc.
Please note that this is applicable only for the commands run with sudo privilege. Executing any other commands without sudo will normally work.
Restoring Original sudoers File Configuration
If you want to revert the sudoers file back to the original configuration, you need to change it to the correct syntax that was originally present in the file. To do that, follow these steps:
1. Login as root user or switch to another sudo user who has full sudo privilege.
2. If you already have the backup, restore the sudoers file from the backup using the following command (assuming the backup file is in /etc directory).
$ sudo cp /etc/sudoers.bak /etc/sudoers
If you don't have backup, follow the subsequent steps.
3. Open the sudoers file for editing using visudo command. Make sure you're logged in as root or other sudo user.
$ sudo visudo
4. Locate the line that you want to modify. In our case, it's the line that grants sudo privileges to the sudo group and allows them to run /bin/apt.
5. Replace the current line with the original configuration that you want to restore. For example, if the current line is:
%sudo ALL=(ALL:ALL) /bin/apt
and you want to revert it back to the default configuration that grants full sudo privileges to the sudo group, it should be:
%sudo ALL=(ALL:ALL) ALL
6. Save and close the sudoers file.
7. Verify the syntax of your sudoers file before exiting visudo. If there are no syntax errors, the changes will be applied.
After making these changes, the sudo configuration will be modified back to the original settings, and the users will have the sudo privileges as they had before the changes were made.
Remember to be careful when modifying the sudoers file, as incorrect configurations can lead to issues with sudo access on your system. Always use visudo to edit the file to avoid syntax errors.
Conclusion
Restricting sudo users to run specific commands is a good way to improve the security of your Linux system. By limiting the commands that sudo users can run, you can reduce the risk of unauthorized access and system damage.
Related Read:
- How To Run Particular Commands Without Sudo Password In Linux
- How To Allow Or Deny Sudo Access To A Group In Linux
- How To Restrict Su Command To Authorized Users In Linux
- Run Commands As Another User Via Sudo In Linux
- How To Prevent Command Arguments With Sudo In Linux
- How To Run All Programs In A Directory Via Sudo In Linux
- How To Restore Sudo Privileges To A User
以上是如何限制sudo用戶在Linux中運行特定的授權命令的詳細內容。更多資訊請關注PHP中文網其他相關文章!
用sed命令掌握文本操縱Mar 16, 2025 am 09:48 AMLinux 命令行界面提供了豐富的文本處理工具,其中最強大的工具之一是 sed 命令。 sed 是 Stream EDitor 的縮寫,是一個多功能工具,允許對文本文件和流進行複雜的處理。 什麼是 Sed? sed 是一款非交互式文本編輯器,它操作管道輸入或文本文件。通過提供指令,您可以讓它修改和處理文件或流中的文本。 sed 最常見的用例包括選擇文本、替換文本、修改原始文件、向文本添加行或從文本中刪除行等操作。它可以在 Bash 和其他命令行 shell 中從命令行使用。 Sed 命令語法 sed
PILET:由Raspberry Pi提供動力的模塊化,便攜式迷你計算機Mar 06, 2025 am 10:11 AMDiscover Pilet:一種複古的,開源的迷你計算機,正在尋找一種將經典風格與尖端技術融合的迷你計算機? Meet Pilet是一個由Raspberry Pi 5的模塊化的開源奇蹟。擁有7小時的電池壽命
如何計算Linux中的文件和目錄:初學者指南Mar 19, 2025 am 10:48 AM有效地計數Linux中的文件和文件夾:綜合指南 知道如何快速計算Linux中的文件和目錄對於系統管理員和管理大型數據集的任何人至關重要。本指南使用簡單命令l演示
如何將用戶添加到Linux中的多個組Mar 18, 2025 am 11:44 AM有效管理用戶帳戶和組成員資格對於Linux/UNIX系統管理至關重要。 這樣可以確保適當的資源和數據訪問控制。 本教程詳細介紹瞭如何將用戶添加到Linux和Unix系統中的多個組中。 我們
用Liquorix內核增強Linux系統的秘密武器Mar 08, 2025 pm 12:12 PMLiquorix內核:提升Linux系統性能的利器 Linux以其靈活、安全和高性能而聞名,成為開發人員、系統管理員和高級用戶的首選操作系統。然而,通用Linux內核並非總是能滿足尋求最大性能和響應速度用戶的需求。這就是Liquorix內核發揮作用的地方——一個針對性能優化的替代方案,有望增強您的Linux系統。本文將探討Liquorix內核是什麼,為什麼您可能想要使用它,以及如何安裝和配置它以充分發揮系統的性能。 Liquorix內核詳解 Liquorix內核是一個預編譯的Linux內核,專為
如何從Commandline列出或檢查所有已安裝的Linux內核Mar 23, 2025 am 10:43 AMLinux內核是GNU/Linux操作系統的核心組件。由Linus Torvalds於1991年開發,是一種免費的開源,單片,模塊化和多任務Unix樣核。在Linux中,可以在Sing上安裝多個內核
如何在Ubuntu Linux中輸入印度盧比符號Mar 22, 2025 am 10:39 AM該簡短指南說明瞭如何在Linux操作系統中鍵入印度盧比符號。前幾天,我想在Word文檔中鍵入“ Indian Rupee符號(€)”。我的鍵盤上有一個盧比符號,但我不知道如何鍵入它。後
如何使Linux系統保持靜止Mar 06, 2025 am 11:13 AM保持計算機毫不費力地保持電腦! 這種輕巧的工具可防止您的系統入睡,非常適合長期下載,連續過程或僅維護系統活動。 與Linux,MacOS和Windows兼容,保持 -
熱AI工具
Undresser.AI Undress
人工智慧驅動的應用程序,用於創建逼真的裸體照片
AI Clothes Remover
用於從照片中去除衣服的線上人工智慧工具。
Undress AI Tool
免費脫衣圖片
Clothoff.io
AI脫衣器
AI Hentai Generator
免費產生 AI 無盡。
熱門文章
熱工具
SublimeText3 英文版
推薦:為Win版本,支援程式碼提示!
SAP NetWeaver Server Adapter for Eclipse
將Eclipse與SAP NetWeaver應用伺服器整合。
WebStorm Mac版
好用的JavaScript開發工具
SublimeText3 Linux新版
SublimeText3 Linux最新版
MinGW - Minimalist GNU for Windows
這個專案正在遷移到osdn.net/projects/mingw的過程中,你可以繼續在那裡關注我們。 MinGW:GNU編譯器集合(GCC)的本機Windows移植版本,可自由分發的導入函式庫和用於建置本機Windows應用程式的頭檔;包括對MSVC執行時間的擴展,以支援C99功能。 MinGW的所有軟體都可以在64位元Windows平台上運作。
