Mini tutorial : Restricting sudo users to only a handful commands

Alright, let’s begin,

First thing’s first, we’ll need to have a user created which will add to the ‘sudo’ group. To do that, ssh to your server as root

ssh root@YourDropletIp

Once you are in, to create the user we’ll need to use the ‘useradd’ command. In this tutorial we’ll call the user ‘sammy’, it’s DigitalOcean afterall:

adduser sammy

You will be prompted to create and verify a password for the user:

Output
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Next you’ll be asked to fill in some information about the new user. It is fine to accept the defaults and leave all of this information blank:

Output
Changing the user information for sammy
Enter the new value, or press ENTER for the default
    Full Name []:
    Room Number []:
    Work Phone []:
    Home Phone []:
    Other []:
Is the information correct? [Y/n]

Now that we have the user created, we’ll need to add it to the proper group, in this tutorial, we are using ‘sudo’. So, we’ll need to run the following command:

usermod -aG sudo sammy

That’s it, the user ‘sammy’ is now part of the ‘sudo’ group.

By default, the ‘sudo’ group can execute every command on the server as long as they use ‘sudo’. Let’s say we have a situation where we would want to restric this.

This can be done in the /etc/sudoers file.

Open the file with any editor you want and go to the line where it says

# Allow members of group sudo to execute any command
%sudo  ALL=(ALL:ALL) ALL

This line means that any user under the ‘sudo’ group has a permission to run all of the commands on the server. In order to restric the sudo group to a handfull of commands, you’ll need to edit that line.

Let’s say we want to give them the permission to use only the ‘ls’ and the ‘cd’ command on the server. In order to to this, we’ll need to edit the line to look like this

%sudo /bin/ls, /bin/cd

That’s it. Save the file and login with the newly created user ‘sammy’. Once you are in, try and use the commands ‘ls’ and ‘cd’. You’ll be able to execute them freely where you have the proper permissions, if you don’t have the permission ot list or change into a directory, simply using the sudo command will help. However if you try to use another sudo command, you’ll get a permissions denied.

Now, if you want to restrict the sudoers from running a specific command, you can use the ‘!’ befire it again in the sudoers file. Here is an example:

%sudo !/bin/ls, !/bin/cd, !/bin/cat

Now, any sudo user won’t be able to execute

sudo ls

or

sudo cat

Here is an example:

sudo cat /etc/sudoers 
Sorry, user sammy is not allowed to execute '/bin/cat /etc/sudoers' as root on GroupTutorial.

Having said that, this is a bit overkill. If you don’t want a sudo user to be able to run a command, not adding in the list would be enough.

You can add any command you wish to be either allowed or restricted.

If you have any suggestions or questions, feel free to ask them in the question bellow!

One last thing, you can check the following tutorial on how to manage users in a Unix environment :

https://www.digitalocean.com/community/tutorials/how-to-create-a-new-sudo-enabled-user-on-ubuntu-18-04-quickstart

Regards, KDSys