Create limited Linux user

Is there a way to create a limited Linux user and decide on the commands they could run? For example only allow them to run a list of commands found in a certain file?

fwconsole chown
yum update -y
fwconsole ma upgradeall

To list a few I might include.

I think ‘sudo’ is the “right” way to solve that.

2 Likes

sudo is indeed the recommended way to elevate the privilege of any linux user,

Do you need the user to have blind access (very dangerous) or would the privilege be conditional on a successful password?

2 Likes

I envision the privilege being protected by password. Once logged in they could run a list of approved commands such as

fwconsole ma upgradeall
date
yum update -y
fwconsole chown

But they would only be able to run the commands that are specified.

fred ALL= /usr/sbin/fwconsole chown,/usr/bin/yum,/usr/sbin/fwconole ma upgradeall

this adds privileges to ‘privileged’ commands, date is ‘unprivileged’

1 Like

Very interesting. I’m unfamiliar with the fred command but will run through some testing. Thank you

hehe , fred is not a command, he is a user of your system and that line is to be added with the visudo command

1 Like

well that is embarrassing. explains why my google search of the command yielded no results!

1 Like

visudo tech ALL= /usr/sbin/fwconsole chown,/usr/bin/yum,/usr/sbin/fwconole ma upgradeall

usage: visudo [-chqsV] [-f sudoers]

It seems to indicate I need to include the -f sudoers in my command. I tried visudo -f sudoers tech …

a)

visudo

(this opens the /etc/sudoers file and won’t save stupid mistakes, (it no longer uses vi) )

b)

fix my typos

c)
paste at the end

tech ALL= /usr/sbin/fwconsole chown,/usr/bin/yum update,/usr/sbin/fwconsole ma upgradeall

d)
(never blindly copy and paste)

lesson learned. I’ll do some testing. Thank you

Do I need an asterisk restart for this to take place you think? At the bottom of /etc/sudoers I have the following:

tech ALL= /usr/sbin/fwconsole chown,/usr/bin/yum update,/usr/sbin/fwconsole ma upgradeall

but when I run one of the commands logged in as tech I see the following:

[[email protected] ~]$ fwconsole chown
PHP Warning:  include_once(/etc/freepbx.conf): failed to open stream: Permission                             denied in /var/lib/asterisk/bin/fwconsole on line 12
PHP Warning:  include_once(): Failed opening '/etc/freepbx.conf' for inclusion (                            include_path='.:/usr/share/pear:/usr/share/php') in /var/lib/asterisk/bin/fwcons                            ole on line 12
PHP Fatal error:  Class 'Symfony\Component\Console\Application' not found in /va                            r/www/html/admin/libraries/FWApplication.class.php on line 11

[[email protected] ~]$ fwconsole ma upgradeall
PHP Warning:  include_once(/etc/freepbx.conf): failed to open stream: Permission                             denied in /var/lib/asterisk/bin/fwconsole on line 12
PHP Warning:  include_once(): Failed opening '/etc/freepbx.conf' for inclusion (                            include_path='.:/usr/share/pear:/usr/share/php') in /var/lib/asterisk/bin/fwcons                            ole on line 12
PHP Fatal error:  Class 'Symfony\Component\Console\Application' not found in /va                            r/www/html/admin/libraries/FWApplication.class.php on line 11

from a shell

sudo -U tech -l

should list the sudo raised privileges of the user tech.

no, nothing to do with FrePBX

Matching Defaults entries for tech on freepbx:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User tech may run the following commands on freepbx:
    (root) /usr/sbin/fwconsole chown, /usr/bin/yum update, /usr/sbin/fwconsole ma upgradeall

Looks good and would WFM, but I’m not a RedHat kinda guy.

you might need to add rights to /etc/freepbx.conf

tech ALL= /usr/sbin/fwconsole chown,/usr/bin/yum update,/usr/sbin/fwconsole ma upgradeall,/etc/freepbx.conf

,

1 Like

Ok, I appreciate your help getting this far. I’ll keep digging and let you know what I find.

He did not execute it with sudo.

@mvogel4949 you gave the user “tech” rights to use “sudo” for those commands.
as tech:

sudo yum update -y
sudo fwconsole chown
sudo fwconsole ma upgrade all
1 Like

Can I mark two answers as solutions? It is working now. Thank you to the both of you!

As a heads up to anyone else that might be interested I also had to add the following to the list:

/etc/freepbx.conf,/var/lib/asterisk/bin/fwconsole

so in the end it looked like this:

tech ALL= /usr/sbin/fwconsole chown,/usr/bin/yum update,/usr/sbin/fwconsole ma upgradeall,/etc/freepbx.conf,/var/lib/asterisk/bin/fwconsole

Please be VERY careful with sudo, giving access to

/var/spool/asterisk/voicemail/default/INBOX/*

also gives implicit access to /var/spool/asterisk/voicemail/default/INBOX/…/…/…/…/…/… which is a really bad thing.

giving access to ‘vi’ or ‘less’ also exposes the ability of those binaries to ‘exit to shell’ possibly to your detriment

(you have been warned)

1 Like