Sometimes you need to allow a group of users to use a few root commands or exec scripts with root priviledges.
In Linux, to give limited root access to a group, you need to edit the /etc/sudoers file.
Do not edit the /etc/sudoers file by hand, use sudo visudo instead. visudo will open the /etc/sudoers file in your default text editor and warn you if you type something wrong, that could generate system issues.
How to give root access to a group, for a few commands only:
Add this line in /etc/sudoers file:
%groupname ALL=(root) /path/to/command/,/path/to/command2/,/path/to/script
The command’s paths are separated one from another by comma (,) .
As an example, I will give the users beloging to the geeks group access to install packages with apt-get, aptitude and dpkg:
$ whereis apt-get
apt-get: /usr/bin/apt-get /usr/share/man/man8/apt-get.8.gz
$ whereis aptitude
aptitude: /usr/bin/aptitude /usr/share/aptitude /usr/share/man/man8/aptitude.8.gz
$ whereis dpkg
dpkg: /usr/bin/dpkg /etc/dpkg /usr/lib/dpkg /usr/share/dpkg /usr/share/man/man1/dpkg.1.gz
Next, add this in the /etc/sudoers:
%geeks ALL = (root) /usr/bin/apt-get,/usr/bin/aptitude,/usr/bin/dpkg
The user naboo belongs to the geeks group:
< /etc/group grep geeks | tail -1
geeks:x:1042:naboo
Test this commands:
$ sudo apt-get -y install emacs23
$ sudo aptitude -y install install emacs23
$ sudo dpkg -i transmission_2.33-0ubuntu2_all.deb
This asks for the user’s password.
How to give passwordless root access to a group, for a few commands only:
Add this in /etc/sudoers:
%groupname ALL=(root) NOPASSWD: /path/to/command/,/path/to/command2/,/path/to/script
To allow the users from the geeks group to have passwordless root priviledges to install packages only, add this to /etc/sudoers:
%geeks ALL = (root) NOPASSWD: /usr/bin/apt-get,/usr/bin/aptitude,/usr/bin/dpkg