require sudo password for specific commands

Posted on

require sudo password for specific commands – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, debian, password, sudo, .

I’m trying to force a password on specific commands with sudo everytime of execution regardless if the password has been entered a second ago.
Is there a way of doing that?

Every search result on google just explains on how to remove the password prompt with NOPASSWD which is ok but I still want SPECIFIC commands to get a password prompt every time they get executed even if the password was just entered a second ago.

My approach was this:

Defaults               !authenticate
Cmnd_Alias             WITHPW = rm -R, shutdown,
Defaults:WITHPW        authenticate

Can someone explain if thats the right way or what can I do?

Thanks,

A/

Solution :

There’s a difference between two options:

authenticate

If set, users must authenticate themselves via a password
(or other means of authentication) before they may run commands. This
default may be overridden via the PASSWD and NOPASSWD tags. This flag
is on by default.

passwd_timeout

Number of minutes before the sudo password prompt times
out, or 0 for no timeout. The timeout may include a fractional
component if minute granularity is insufficient, for example 2.5. The
default is 5.

While you can set both per Cmnd_Alias, the passwd_timeout is the correct option for what you are trying to achieve.

Then, let’s look at the syntax for Defaults:

Default_Type ::= 'Defaults' |
                 'Defaults' '@' Host_List |
                 'Defaults' ':' User_List |
                 'Defaults' '!' Cmnd_List |
                 'Defaults' '>' Runas_List

Default_Entry ::= Default_Type Parameter_List

Parameter_List ::= Parameter |
                   Parameter ',' Parameter_List

Parameter ::= Parameter '=' Value |
              Parameter '+=' Value |
              Parameter '-=' Value |
              '!'* Parameter

When specifying a Cmnd_List or Cmnd_Alias you need ! prefix, resulting:

Cmnd_Alias          WITHPW = /usr/bin/rm -R, /usr/sbin/shutdown
Defaults:!WITHPW    passwd_timeout=0

Leave a Reply

Your email address will not be published.