I want to configure sudoers so that password required for a single command would be the requesting user’s, but for all other commands ask the root password (openSUSE default).
The case is that I have openSUSE installed on a group of PCs in small network and I want to enable a specific user to restart a systemd service by using his password.
For security reasons: a) I want the host to ask for a password when running the command, b) I don’t want to give out the root password.
I tried a few combinations with rootpw, targetpw but would either ask user or root password for all commands.
OpenSUSE:15.6
File permissions in YaST: secure
Sudoers will be served from openLDAP, but is out of scope for this problem.
Thank you for the info. I know, I use this already and just starting to centralize administration so I would like to move as much stuff as possible to sudoers via LDAP.
This maybe the first thing ever I wanted to achieve in Linux and couldn’t find a way to do it (and I’ve done some freaky stuff).
So the only way to work is either password globally (root or user) or NOPASSWD?
No there isn’t. The logical followup is why do you think you need to?
The big hangup is that you seem to think having the default rootpw for everything but this one command is more secure than userpw for everything and giving the user just that one command.
Well, the thing here is that I believe my case is a little bit peculiar. We are an SMB organization. I am the only systems administrator and there is one other guy that is a little bit technical.
What I want is to have only that one user to able to have some extra privileges (eg restart cups, restart the erp daemon) without knowing the root password, but still requiring a password in order to “safeguard” against accidental keystrokes. I don’t want all users to be able to use sudo.
A culprit is that I am using LDAP via sssd also on the server itself (which may indeed be a bad practice).
Your use case is not peculiar, is one of the things sudo is designed to do and none of that requires rootpw.
If you were just using the default /etc/sudoers you would simply
Comment out Defaults targetpw
Put yourself in %wheel
Don’t put the other user in %wheel
create a Command Alias in /etc/sudoers that has all the commands that the other user should run
Add other_user ALL=(ALL) CMD_ALIAS to the sudoers file
You can run any command as root (any user actually) using your password.
They can run whatever commands you defined in the command alias using their own password.
This is how a system that disables root (has no root password) does sudo.
To do the same in LDAP you do the same things, it’s just that where in the directory structure you create Aliases, Defaults and the rules depends on your LDAP backend or IAM product.
Ok, thank you. Food for thought here. I’ll definitely check this scenario out.
But, if I remove targetpw wouldn’t that allow the other users (except the one set in sudoers) to run any command with sudo using their own password?
Sorry if it’s a stupid question but I’m a sudo newbie. I’ve been using the root account since the beginning (13years ago), as I’ve been using openSUSE since the beginning (if I’m not mistaken Ubuntu uses sudo by default?)
The rule that allows that in the default sudoers is %wheel ALL=(ALL:ALL) ALL
If you’re in the group ‘wheel’, you can run all commands as any user on any host.
If you’re not in that group, you don’t match that rule. If you’re not an administration of that machine, you shouldn’t be in the wheel group, though you can also remove that rule if you don’t want %wheel to define administrators but still need %wheel for other things.
The password for sudo is to verify you are who you are, not what commands you’re allowed to run. That is defined by the rules you write.