Is it possible to give sudo access to only a particular command?

Question

Background: I have a development machine with LAMP setup. Several developers would access the machine from time to time. Every time they make some change in a configuration file they will need to restart the apache server using sudo service apache restart or sudo /etc/init.d/apache2 restart

The Question:

What I want now is that every developer who accesses the machine does not have a sudo access to everything. Rather, he/she should only be able to run the service command using sudo and nothing else. Is it possible to do that?

score 38 · Accepted Answer · edited Feb 01 '17 at 13:48

Yes.

Make a new group, web (call it what you wish)

sudo addgroup web

Add your developer(s) to the web group (use their login name).

sudo adduser your_developer_user web

Then run sudo visudo -f /etc/sudoers.d/somefile (use a meaningful name instead of somefile).

Add in a line (use the full path of the command):

%web ALL=(ALL) /usr/bin/service apache2 *

The developers can then run

sudo service apache

using their login password.

Do NOT add your admin user to the web group.

See man sudoers for additional information

Is it possible to give sudo access to only a particular command?

1 Answers1

Linked

Related