On 29 Sep 2020, at 08:33, Niranjan Rao <nhr...@gmail.com> wrote:
> We have a need to allow certain group of people to perform operations such as
> start/stop/reload etc. Traditionally these operations are performed using
> sudo command e.g. sudo service apache2 start. These people don't need full
> sudo permissions. All they need is apache related permissions. We can tinker
> with an entry in sudoers.d and grant required permissions - but permissions
> need to be granted to "service" command
Write a command (a simple shell script) that executes the command you want to
allow, for example, /usr/local/bin/starta2 => "sudo apache2 start" and grant
the user access to that script in the shudders file.
Repeat with other commands.
Make sure the script(s) is owned by root and has permissions 0700.
> Are there any recommended best practices or guides to allow these kinds of
> granular permissions? My searches so far has revealed commands using sudo.
Sudo is the way to do this, but to restrict specific commands to specific
options, you have to to a little two-step.
I do something like this to allow an unprivilegeduser to start rsnapshot.
--
"He uses statistics as a drunken man uses lamp-posts... for support
rather than illumination." - Andrew Lang (1844-1912)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
