Set up sudo so that a particular common user can edit /etc/fstab
Clash Royale CLAN TAG#URR8PPP up vote
1
down vote
favorite
How can I set up sudo so that a particular common user can edit /etc/fstab?
I've thought to edit /etc/sudoers.d file to do this, but how do we edit /etc/fstab in this file?
sudo fstab su etc
edited Feb 27 at 16:16
pa4080
12.3k52256
add a comment |Â
up vote
1
down vote
favorite
How can I set up sudo so that a particular common user can edit /etc/fstab?
I've thought to edit /etc/sudoers.d file to do this, but how do we edit /etc/fstab in this file?
sudo fstab su etc
edited Feb 27 at 16:16
pa4080
12.3k52256
Which version of Ubuntu are you running? And is this the only thing, where this user should have elevated permissions? -- And why do you want this? Maybe it is not as secure as you think.
– sudodus
Feb 27 at 16:05
2
Readman sudoers- it will show you how to allowsudoaccess only to listed commands. BUT all the editors I use have the capability for a "shell escape" (e.g.vimand:!) that would give access to arootshell. In the security biz, that's Game Over. Also, readman sudoersaboutsudoeditand the-eoption.
– waltinator
Feb 27 at 16:07
Version: Ubuntu 16.04
– user786034
Feb 27 at 16:13
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
How can I set up sudo so that a particular common user can edit /etc/fstab?
I've thought to edit /etc/sudoers.d file to do this, but how do we edit /etc/fstab in this file?
sudo fstab su etc
edited Feb 27 at 16:16
pa4080
12.3k52256
How can I set up sudo so that a particular common user can edit /etc/fstab?
I've thought to edit /etc/sudoers.d file to do this, but how do we edit /etc/fstab in this file?
sudo fstab su etc
sudo fstab su etc
edited Feb 27 at 16:16
pa4080
12.3k52256
edited Feb 27 at 16:16
pa4080
12.3k52256
edited Feb 27 at 16:16
pa4080
12.3k52256
edited Feb 27 at 16:16
pa4080
12.3k52256
edited Feb 27 at 16:16
pa4080
12.3k52256
12.3k52256
asked Feb 27 at 16:01
user786034
Which version of Ubuntu are you running? And is this the only thing, where this user should have elevated permissions? -- And why do you want this? Maybe it is not as secure as you think.
– sudodus
Feb 27 at 16:05
2
Readman sudoers- it will show you how to allowsudoaccess only to listed commands. BUT all the editors I use have the capability for a "shell escape" (e.g.vimand:!) that would give access to arootshell. In the security biz, that's Game Over. Also, readman sudoersaboutsudoeditand the-eoption.
– waltinator
Feb 27 at 16:07
Version: Ubuntu 16.04
– user786034
Feb 27 at 16:13
add a comment |Â
Which version of Ubuntu are you running? And is this the only thing, where this user should have elevated permissions? -- And why do you want this? Maybe it is not as secure as you think.
– sudodus
Feb 27 at 16:05
2
Readman sudoers- it will show you how to allowsudoaccess only to listed commands. BUT all the editors I use have the capability for a "shell escape" (e.g.vimand:!) that would give access to arootshell. In the security biz, that's Game Over. Also, readman sudoersaboutsudoeditand the-eoption.
– waltinator
Feb 27 at 16:07
Version: Ubuntu 16.04
– user786034
Feb 27 at 16:13
Which version of Ubuntu are you running? And is this the only thing, where this user should have elevated permissions? -- And why do you want this? Maybe it is not as secure as you think.
– sudodus
Feb 27 at 16:05
Which version of Ubuntu are you running? And is this the only thing, where this user should have elevated permissions? -- And why do you want this? Maybe it is not as secure as you think.
– sudodus
Feb 27 at 16:05
2
2
Read
man sudoers - it will show you how to allow sudo access only to listed commands. BUT all the editors I use have the capability for a "shell escape" (e.g. vim and :!) that would give access to a root shell. In the security biz, that's Game Over. Also, read man sudoers about sudoedit and the -e option.– waltinator
Feb 27 at 16:07
Read
man sudoers - it will show you how to allow sudo access only to listed commands. BUT all the editors I use have the capability for a "shell escape" (e.g. vim and :!) that would give access to a root shell. In the security biz, that's Game Over. Also, read man sudoers about sudoedit and the -e option.– waltinator
Feb 27 at 16:07
Version: Ubuntu 16.04
– user786034
Feb 27 at 16:13
Version: Ubuntu 16.04
– user786034
Feb 27 at 16:13
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
1
down vote
Adding a line in sudoers.d with you favorite editing software in a cmd alias should do the trick :
Cmnd_Alias EDITFSTAB = /etc/bin/vim /etc/fstab
username ALL = (user) EDITFSTAB
Be careful, there is a huge risk of escape privilege, maybe you should write a basic shell script to restrict/control fstab modifications WITHOUT using editor (ie "for that modification, press 1" and echo-ing right in fstab).
answered Feb 27 at 16:24
Simon Van Machin
23010
woupsie, too slow;)
– Simon Van Machin
Feb 27 at 16:24
1
Don't use your favourite editor to edit/etc/sudoers*files, instead that usesudo visudoorsudo visudo -f /etc/sudoers.d/<file-name>. Otherwise any simple typo can lock your system. Reference: askubuntu.com/a/159009/566421
– pa4080
Feb 27 at 16:27
Thanks, but it still asks for password after reboot. How can i make this to a specific user and not all of the users in the system? I tried this: username TEST=(TEST:TEST) EDITFSTAB
– user786034
Feb 27 at 21:43
Add the nopasswd option : "username ALL=NOPASSWD: EDITFSTAB". And as pa4080 mentionned, use visuel
– Simon Van Machin
Feb 28 at 7:08
Visudo* - typo, on mobile
– Simon Van Machin
Feb 28 at 7:16
 |Â
show 2 more comments
up vote
1
down vote
Create simple script, called editfstab and located in /usr/local/bin (to be accessible as shell command), and make it executable:
echo -e '#!/bin/shnnano /etc/fstab' | sudo tee /usr/local/bin/editfstab && sudo chmod +x /usr/local/bin/editfstab
Run the command sudo visudo -f /etc/sudoers.d/editfstab and add the following rule as content of the newly created file:
ALL ALL=NOPASSWD: /usr/local/bin/editfstab
At this point, each system user will be able to edit /etc/fstab, without password, by the command:
sudo editfstab
You can extend the functionality of /usr/local/bin/editfstab by adding a feature to make backup copy before edit:
#!/bin/sh
cp /etc/fstab /etc/fstab.bak
nano /etc/fstab
answered Feb 27 at 16:15
pa4080
12.3k52256
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Adding a line in sudoers.d with you favorite editing software in a cmd alias should do the trick :
Cmnd_Alias EDITFSTAB = /etc/bin/vim /etc/fstab
username ALL = (user) EDITFSTAB
Be careful, there is a huge risk of escape privilege, maybe you should write a basic shell script to restrict/control fstab modifications WITHOUT using editor (ie "for that modification, press 1" and echo-ing right in fstab).
answered Feb 27 at 16:24
Simon Van Machin
23010
woupsie, too slow;)
– Simon Van Machin
Feb 27 at 16:24
1
Don't use your favourite editor to edit/etc/sudoers*files, instead that usesudo visudoorsudo visudo -f /etc/sudoers.d/<file-name>. Otherwise any simple typo can lock your system. Reference: askubuntu.com/a/159009/566421
– pa4080
Feb 27 at 16:27
Thanks, but it still asks for password after reboot. How can i make this to a specific user and not all of the users in the system? I tried this: username TEST=(TEST:TEST) EDITFSTAB
– user786034
Feb 27 at 21:43
Add the nopasswd option : "username ALL=NOPASSWD: EDITFSTAB". And as pa4080 mentionned, use visuel
– Simon Van Machin
Feb 28 at 7:08
Visudo* - typo, on mobile
– Simon Van Machin
Feb 28 at 7:16
 |Â
show 2 more comments
up vote
1
down vote
Adding a line in sudoers.d with you favorite editing software in a cmd alias should do the trick :
Cmnd_Alias EDITFSTAB = /etc/bin/vim /etc/fstab
username ALL = (user) EDITFSTAB
Be careful, there is a huge risk of escape privilege, maybe you should write a basic shell script to restrict/control fstab modifications WITHOUT using editor (ie "for that modification, press 1" and echo-ing right in fstab).
answered Feb 27 at 16:24
Simon Van Machin
23010
woupsie, too slow;)
– Simon Van Machin
Feb 27 at 16:24
1
Don't use your favourite editor to edit/etc/sudoers*files, instead that usesudo visudoorsudo visudo -f /etc/sudoers.d/<file-name>. Otherwise any simple typo can lock your system. Reference: askubuntu.com/a/159009/566421
– pa4080
Feb 27 at 16:27
Thanks, but it still asks for password after reboot. How can i make this to a specific user and not all of the users in the system? I tried this: username TEST=(TEST:TEST) EDITFSTAB
– user786034
Feb 27 at 21:43
Add the nopasswd option : "username ALL=NOPASSWD: EDITFSTAB". And as pa4080 mentionned, use visuel
– Simon Van Machin
Feb 28 at 7:08
Visudo* - typo, on mobile
– Simon Van Machin
Feb 28 at 7:16
 |Â
show 2 more comments
up vote
1
down vote
up vote
1
down vote
Adding a line in sudoers.d with you favorite editing software in a cmd alias should do the trick :
Cmnd_Alias EDITFSTAB = /etc/bin/vim /etc/fstab
username ALL = (user) EDITFSTAB
Be careful, there is a huge risk of escape privilege, maybe you should write a basic shell script to restrict/control fstab modifications WITHOUT using editor (ie "for that modification, press 1" and echo-ing right in fstab).
answered Feb 27 at 16:24
Simon Van Machin
23010
Adding a line in sudoers.d with you favorite editing software in a cmd alias should do the trick :
Cmnd_Alias EDITFSTAB = /etc/bin/vim /etc/fstab
username ALL = (user) EDITFSTAB
Be careful, there is a huge risk of escape privilege, maybe you should write a basic shell script to restrict/control fstab modifications WITHOUT using editor (ie "for that modification, press 1" and echo-ing right in fstab).
answered Feb 27 at 16:24
Simon Van Machin
23010
answered Feb 27 at 16:24
Simon Van Machin
23010
answered Feb 27 at 16:24
Simon Van Machin
23010
answered Feb 27 at 16:24
Simon Van Machin
23010
23010
woupsie, too slow;)
– Simon Van Machin
Feb 27 at 16:24
1
Don't use your favourite editor to edit/etc/sudoers*files, instead that usesudo visudoorsudo visudo -f /etc/sudoers.d/<file-name>. Otherwise any simple typo can lock your system. Reference: askubuntu.com/a/159009/566421
– pa4080
Feb 27 at 16:27
Thanks, but it still asks for password after reboot. How can i make this to a specific user and not all of the users in the system? I tried this: username TEST=(TEST:TEST) EDITFSTAB
– user786034
Feb 27 at 21:43
Add the nopasswd option : "username ALL=NOPASSWD: EDITFSTAB". And as pa4080 mentionned, use visuel
– Simon Van Machin
Feb 28 at 7:08
Visudo* - typo, on mobile
– Simon Van Machin
Feb 28 at 7:16
 |Â
show 2 more comments
woupsie, too slow;)
– Simon Van Machin
Feb 27 at 16:24
1
Don't use your favourite editor to edit/etc/sudoers*files, instead that usesudo visudoorsudo visudo -f /etc/sudoers.d/<file-name>. Otherwise any simple typo can lock your system. Reference: askubuntu.com/a/159009/566421
– pa4080
Feb 27 at 16:27
Thanks, but it still asks for password after reboot. How can i make this to a specific user and not all of the users in the system? I tried this: username TEST=(TEST:TEST) EDITFSTAB
– user786034
Feb 27 at 21:43
Add the nopasswd option : "username ALL=NOPASSWD: EDITFSTAB". And as pa4080 mentionned, use visuel
– Simon Van Machin
Feb 28 at 7:08
Visudo* - typo, on mobile
– Simon Van Machin
Feb 28 at 7:16
woupsie, too slow;)
– Simon Van Machin
Feb 27 at 16:24
woupsie, too slow;)
– Simon Van Machin
Feb 27 at 16:24
1
1
Don't use your favourite editor to edit
/etc/sudoers* files, instead that use sudo visudo or sudo visudo -f /etc/sudoers.d/<file-name> . Otherwise any simple typo can lock your system. Reference: askubuntu.com/a/159009/566421– pa4080
Feb 27 at 16:27
Don't use your favourite editor to edit
/etc/sudoers* files, instead that use sudo visudo or sudo visudo -f /etc/sudoers.d/<file-name> . Otherwise any simple typo can lock your system. Reference: askubuntu.com/a/159009/566421– pa4080
Feb 27 at 16:27
Thanks, but it still asks for password after reboot. How can i make this to a specific user and not all of the users in the system? I tried this: username TEST=(TEST:TEST) EDITFSTAB
– user786034
Feb 27 at 21:43
Thanks, but it still asks for password after reboot. How can i make this to a specific user and not all of the users in the system? I tried this: username TEST=(TEST:TEST) EDITFSTAB
– user786034
Feb 27 at 21:43
Add the nopasswd option : "username ALL=NOPASSWD: EDITFSTAB". And as pa4080 mentionned, use visuel
– Simon Van Machin
Feb 28 at 7:08
Add the nopasswd option : "username ALL=NOPASSWD: EDITFSTAB". And as pa4080 mentionned, use visuel
– Simon Van Machin
Feb 28 at 7:08
Visudo* - typo, on mobile
– Simon Van Machin
Feb 28 at 7:16
Visudo* - typo, on mobile
– Simon Van Machin
Feb 28 at 7:16
 |Â
show 2 more comments
up vote
1
down vote
Create simple script, called editfstab and located in /usr/local/bin (to be accessible as shell command), and make it executable:
echo -e '#!/bin/shnnano /etc/fstab' | sudo tee /usr/local/bin/editfstab && sudo chmod +x /usr/local/bin/editfstab
Run the command sudo visudo -f /etc/sudoers.d/editfstab and add the following rule as content of the newly created file:
ALL ALL=NOPASSWD: /usr/local/bin/editfstab
At this point, each system user will be able to edit /etc/fstab, without password, by the command:
sudo editfstab
You can extend the functionality of /usr/local/bin/editfstab by adding a feature to make backup copy before edit:
#!/bin/sh
cp /etc/fstab /etc/fstab.bak
nano /etc/fstab
answered Feb 27 at 16:15
pa4080
12.3k52256
add a comment |Â
up vote
1
down vote
Create simple script, called editfstab and located in /usr/local/bin (to be accessible as shell command), and make it executable:
echo -e '#!/bin/shnnano /etc/fstab' | sudo tee /usr/local/bin/editfstab && sudo chmod +x /usr/local/bin/editfstab
Run the command sudo visudo -f /etc/sudoers.d/editfstab and add the following rule as content of the newly created file:
ALL ALL=NOPASSWD: /usr/local/bin/editfstab
At this point, each system user will be able to edit /etc/fstab, without password, by the command:
sudo editfstab
You can extend the functionality of /usr/local/bin/editfstab by adding a feature to make backup copy before edit:
#!/bin/sh
cp /etc/fstab /etc/fstab.bak
nano /etc/fstab
answered Feb 27 at 16:15
pa4080
12.3k52256
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Create simple script, called editfstab and located in /usr/local/bin (to be accessible as shell command), and make it executable:
echo -e '#!/bin/shnnano /etc/fstab' | sudo tee /usr/local/bin/editfstab && sudo chmod +x /usr/local/bin/editfstab
Run the command sudo visudo -f /etc/sudoers.d/editfstab and add the following rule as content of the newly created file:
ALL ALL=NOPASSWD: /usr/local/bin/editfstab
At this point, each system user will be able to edit /etc/fstab, without password, by the command:
sudo editfstab
You can extend the functionality of /usr/local/bin/editfstab by adding a feature to make backup copy before edit:
#!/bin/sh
cp /etc/fstab /etc/fstab.bak
nano /etc/fstab
answered Feb 27 at 16:15
pa4080
12.3k52256
Create simple script, called editfstab and located in /usr/local/bin (to be accessible as shell command), and make it executable:
echo -e '#!/bin/shnnano /etc/fstab' | sudo tee /usr/local/bin/editfstab && sudo chmod +x /usr/local/bin/editfstab
Run the command sudo visudo -f /etc/sudoers.d/editfstab and add the following rule as content of the newly created file:
ALL ALL=NOPASSWD: /usr/local/bin/editfstab
At this point, each system user will be able to edit /etc/fstab, without password, by the command:
sudo editfstab
You can extend the functionality of /usr/local/bin/editfstab by adding a feature to make backup copy before edit:
#!/bin/sh
cp /etc/fstab /etc/fstab.bak
nano /etc/fstab
answered Feb 27 at 16:15
pa4080
12.3k52256
edited Feb 27 at 16:24
answered Feb 27 at 16:15
pa4080
12.3k52256
answered Feb 27 at 16:15
pa4080
12.3k52256
answered Feb 27 at 16:15
pa4080
12.3k52256
12.3k52256
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1010332%2fset-up-sudo-so-that-a-particular-common-user-can-edit-etc-fstab%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Which version of Ubuntu are you running? And is this the only thing, where this user should have elevated permissions? -- And why do you want this? Maybe it is not as secure as you think.
– sudodus
Feb 27 at 16:05
2
Read
man sudoers- it will show you how to allowsudoaccess only to listed commands. BUT all the editors I use have the capability for a "shell escape" (e.g.vimand:!) that would give access to arootshell. In the security biz, that's Game Over. Also, readman sudoersaboutsudoeditand the-eoption.– waltinator
Feb 27 at 16:07
Version: Ubuntu 16.04
– user786034
Feb 27 at 16:13