1

How can I set up sudo so that a particular common user can edit /etc/fstab? I've thought to edit /etc/sudoers.d file to do this, but how do we edit /etc/fstab in this file?

pa4080
  • 29,351
  • 10
  • 85
  • 161
  • Which version of Ubuntu are you running? And is this the *only* thing, where this user should have elevated permissions? -- And why do you want this? Maybe it is not as secure as you think. – sudodus Feb 27 '18 at 16:05
  • 2
    Read `man sudoers` - it will show you how to allow `sudo` access only to listed commands. BUT all the editors I use have the capability for a "shell escape" (e.g. `vim` and `:!`) that would give access to a `root` shell. In the security biz, that's Game Over. Also, read `man sudoers` about `sudoedit` and the `-e` option. – waltinator Feb 27 '18 at 16:07
  • Version: Ubuntu 16.04 –  Feb 27 '18 at 16:13

2 Answers2

1

Create simple script, called editfstab and located in /usr/local/bin (to be accessible as shell command), and make it executable:

echo -e '#!/bin/sh\nnano /etc/fstab' | sudo tee /usr/local/bin/editfstab && sudo chmod +x /usr/local/bin/editfstab

Run the command sudo visudo -f /etc/sudoers.d/editfstab and add the following rule as content of the newly created file:

ALL ALL=NOPASSWD: /usr/local/bin/editfstab

At this point, each system user will be able to edit /etc/fstab, without password, by the command:

sudo editfstab

You can extend the functionality of /usr/local/bin/editfstab by adding a feature to make backup copy before edit:

#!/bin/sh
cp /etc/fstab /etc/fstab.bak
nano /etc/fstab
pa4080
  • 29,351
  • 10
  • 85
  • 161
1

Adding a line in sudoers.d with you favorite editing software in a cmd alias should do the trick :

Cmnd_Alias EDITFSTAB = /etc/bin/vim /etc/fstab
username    ALL = (user) EDITFSTAB

Be careful, there is a huge risk of escape privilege, maybe you should write a basic shell script to restrict/control fstab modifications WITHOUT using editor (ie "for that modification, press 1" and echo-ing right in fstab).

DrGorilla.eth
  • 385
  • 1
  • 12
  • woupsie, too slow;) – DrGorilla.eth Feb 27 '18 at 16:24
  • 1
    Don't use your favourite editor to edit `/etc/sudoers*` files, instead that use `sudo visudo` or `sudo visudo -f /etc/sudoers.d/` . Otherwise any simple typo can lock your system. Reference: https://askubuntu.com/a/159009/566421 – pa4080 Feb 27 '18 at 16:27
  • Thanks, but it still asks for password after reboot. How can i make this to a specific user and not all of the users in the system? I tried this: username TEST=(TEST:TEST) EDITFSTAB –  Feb 27 '18 at 21:43
  • Add the nopasswd option : "username ALL=NOPASSWD: EDITFSTAB". And as pa4080 mentionned, use visuel – DrGorilla.eth Feb 28 '18 at 07:08
  • Visudo* - typo, on mobile – DrGorilla.eth Feb 28 '18 at 07:16
  • I tried the last option, but it still asks for the user password. –  Feb 28 '18 at 07:25
  • On what line did you add it? Sudoers works in a sequential way, any line with that user/usergroup without the nopaswd option coming after will overwrite the option. – DrGorilla.eth Feb 28 '18 at 07:30