In Linux system administration, there are many situations where you might want to allow a regular (non-root) user to execute a few specific commands that normally require elevated privileges. Instead of giving them full root access—which can be risky—you can configure the system to grant access only to particular commands. This method improves system security while providing users the flexibility they need.
Granting limited root access carefully ensures that users can perform their tasks without compromising the overall security and stability of the system. In this guide, you’ll learn the proper way to allow a normal user to execute selected commands as root, both with and without requiring a password, by safely editing the system’s sudoers file.
Safely Editing the /etc/sudoers File
To give limited root access to a normal user, the key is to modify the /etc/sudoers file. This special file controls who can run what commands as other users, particularly as root. However, you should never edit /etc/sudoers directly with a normal text editor because a single mistake could lock you out of administrative access to your system.
Instead, always use the visudo command (learn how to change the default editor for visudo here). visudo locks the file against multiple simultaneous edits and checks for syntax errors before saving changes. If you make a mistake, it will warn you, preventing potentially serious system issues. To open the file safely, run:
sudo visudoThis will launch the sudoers file in your system’s default editor.
Giving Root Access for Specific Commands
If you want to allow a user to run only certain commands as root, you need to specify exactly which commands they are allowed to execute. In the /etc/sudoers file, you can add a line like this:
username ALL=(root) /path/to/command/,/path/to/command2/,/path/to/scriptEach command’s full path must be separated by commas. You can find the exact paths by using the whereis command. For example, if you want to allow the user mike to run useradd and groupadd, you would first locate them:
$ whereis useradd
useradd: /usr/sbin/useradd /usr/share/man/man8/useradd.8.gz
$ whereis groupadd
groupadd: /usr/sbin/groupadd /usr/share/man/man8/groupadd.8.gzAfter locating the correct binaries, you would add the following line to /etc/sudoers:
mike ALL=(root) /usr/sbin/useradd,/usr/sbin/groupaddThis configuration allows Mike to run useradd and groupadd as root, but only these two commands—nothing else.
Testing the New Access
Once you have updated the sudoers file, it’s important to verify that everything works as expected. Switch to the user account and attempt to run the allowed commands with sudo:
$ su mike
$ sudo useradd
$ sudo groupaddAt this point, the system will prompt Mike to enter his own password (not the root password). If everything is set correctly, the commands should execute successfully. If the user tries to run a different command not listed in the sudoers file, the system will deny permission, maintaining a tight security boundary.
Allowing Passwordless Root Access for Specific Commands
In some cases, you might want the user to run the allowed commands without being prompted for their password every time. This can be useful for automation scripts or repetitive administrative tasks.
To enable passwordless execution, add NOPASSWD: before listing the commands in the sudoers file:
username ALL=(root) NOPASSWD: /path/to/command/,/path/to/command2/,/path/to/scriptUsing the previous example, if you want Mike to run useradd and groupadd without entering his password, the sudoers entry should be:
mike ALL=(root) NOPASSWD: /usr/sbin/useradd,/usr/sbin/groupaddNow, when Mike runs the allowed commands with sudo, they will execute immediately without asking for any password. This is particularly useful for seamless operations, but should be used cautiously to avoid security risks.
Conclusion
Granting limited root access to users in Linux can dramatically improve both the usability and security of your system. By specifying exactly which commands a user can execute as root, you minimize the risks typically associated with broad administrative privileges.
Always remember to use visudo when editing the sudoers file to avoid breaking your system configuration. Whether you choose to require a password or allow passwordless execution depends on the specific needs and trust level of your users. Used wisely, these methods will help you maintain a secure, flexible, and well-organized Linux environment.
