No password to run command as root for fixed command?

Is it possible to define a rule in sudoers to allow one user to run one well defined command as root, without password or other authentication except being the right user?

Are there alternatives to solve this (or something very similar)?

Use suid permission bit?
Maybe make use of ssh keys somehow?

Asked By: Volker Siegel


The sudoers file allows specifying commands to permit:

username ALL=(root) NOPASSWD: /bin/foo bar baz

Here username is the user you want to permit, and the command goes at the end of the line. If you specify arguments to the command, the user can only run it with exactly those arguments, but if you don’t specify them here, the user can run the command with any arguments they choose. You can specify multiple commands separated by commas, or just as separate lines.

Edit the sudoers file with visudo (as root) and add a line in that format, with the appropriate details changed, and the user will be allowed to run exactly the command you specify with elevated privileges.

NOPASSWD: allows the user to run the command without prompting. The ALL is a host restriction, which you can probably ignore (you’ll know if you can’t). (root) means they can only run the command as the root user.

Since you ask, it is strictly possible to do this with ssh too, although sudo is better. You can put COMMAND=something at the start of a line in /root/.ssh/authorized_keys and give the user a special-purpose SSH key corresponding to that command. The only possible reasons that would be better than sudo are if you didn’t want the user to have any other access to the machine, or if you didn’t want them to have to write the command out themselves.

Answered By: Michael Homer
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.