From Nonecks Docs

Contents 1 Giving Specific Users Root Access to Certain Commands and Files 1.1 Determine what the User needs to access and run 1.2 Add user and permissions to /etc/sudoers file using 'visudo' command. 1.3 Add user under the 'User_Alias' specification 1.4 Add Commands User is allowed to run with the 'Cmnd_Alias' specification 1.5 Add User and Alias specification to the User privilege specification area

[edit] Giving Specific Users Root Access to Certain Commands and Files

• Apart from I.T. users some Developers may need to look at or manipulate log files from certain application or services
  • For example tailing or cat'ing a file

[edit] Determine what the User needs to access and run

[edit] Add user and permissions to /etc/sudoers file using 'visudo' command.

# visudo

[edit] Add user under the 'User_Alias' specification

User_Alias BOX_CONTROL = bernard
User_Alias WEBMASTERS = joe, jim, bernard

[edit] Add Commands User is allowed to run with the 'Cmnd_Alias' specification

Cmnd_Alias REBOOT = /sbin/shutdown -r
Cmnd_Alias APACHE = /usr/sbin/apache2ctl
Cmnd_Alias TAIL   = /usr/bin/tail

[edit] Add User and Alias specification to the User privilege specification area

BOX_CONTROL         ALL     = PASSWD : REBOOT
WEBMASTERS          ALL     = NOPASSWD   : APACHE, TAIL

---

Auctiva Sudoers file
---------------------
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification 

# User alias specification
User_Alias MAILMAN = scrossley

# Cmnd alias specification
# Cmnd_Alias APACHE = /usr/local/sbin/kickapache
Cmnd_Alias TAIL = /usr/bin/tail
Cmnd_Alias CAT = /bin/cat
Cmnd_Alias MREPORT = /usr/bin/mailreport

# Defaults specification 

# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# CVE-2006-0151)
Defaults always_set_home
Defaults env_reset

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:

# Runas alias specification 

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom

# SUDO MASTERS
acerna          ALL     = (ALL) ALL
rrussell        ALL     = (ALL) ALL

# SUDO Groups and Permissions
MAILMAN         ALL     = NOPASSWD : CAT /var/log/*
MAILMAN         ALL     = NOPASSWD : TAIL -f /var/log/*
MAILMAN         ALL     = NOPASSWD : MREPORT
MAILMAN         ALL     = NOPASSWD : /bin/ls /var/log*
---------------------------------------