I’ve been asked this question a lot of times - ‘Can we restrict sudo users to only a handfull commands?’. In this mini tutorial, I’ll show you how you can do that.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Click below to sign up and get $200 of credit to try our products over 60 days!
Alright, let’s begin,
First thing’s first, we’ll need to have a user created which will add to the ‘sudo’ group. To do that, ssh to your server as root
Once you are in, to create the user we’ll need to use the ‘useradd’ command. In this tutorial we’ll call the user ‘sammy’, it’s DigitalOcean afterall:
You will be prompted to create and verify a password for the user:
Next you’ll be asked to fill in some information about the new user. It is fine to accept the defaults and leave all of this information blank:
Now that we have the user created, we’ll need to add it to the proper group, in this tutorial, we are using ‘sudo’. So, we’ll need to run the following command:
That’s it, the user ‘sammy’ is now part of the ‘sudo’ group.
By default, the ‘sudo’ group can execute every command on the server as long as they use ‘sudo’. Let’s say we have a situation where we would want to restric this.
This can be done in the /etc/sudoers file.
Open the file with any editor you want and go to the line where it says
This line means that any user under the ‘sudo’ group has a permission to run all of the commands on the server. In order to restric the sudo group to a handfull of commands, you’ll need to edit that line.
Let’s say we want to give them the permission to use only the ‘ls’ and the ‘cd’ command on the server. In order to to this, we’ll need to edit the line to look like this
That’s it. Save the file and login with the newly created user ‘sammy’. Once you are in, try and use the commands ‘ls’ and ‘cd’. You’ll be able to execute them freely where you have the proper permissions, if you don’t have the permission ot list or change into a directory, simply using the sudo command will help. However if you try to use another sudo command, you’ll get a permissions denied.
Now, if you want to restrict the sudoers from running a specific command, you can use the ‘!’ befire it again in the sudoers file. Here is an example:
Now, any sudo user won’t be able to execute
Here is an example:
Having said that, this is a bit overkill. If you don’t want a sudo user to be able to run a command, not adding in the list would be enough.
You can add any command you wish to be either allowed or restricted.
If you have any suggestions or questions, feel free to ask them in the question bellow!
One last thing, you can check the following tutorial on how to manage users in a Unix environment :