Controlling sudo re-authentication


Here is a small trick for sudo. Enforcing and controlling that on which sudo commands user is supposed to re-authenticate and which commands can be run without re-authenticating himself.

One option is to use the NOPASSWD tag. This allows a user to run a particular command without giving a password:

alok client = NOPASSWD: /bin/ls, /usr/bin/tail

This would allow alok to use /bin/ls and /usr/bin/tail without authenticating herself, on host machine client.

You can also specify PASSWD later in the list to limit this further:

alok client = NOPASSWD: /bin/ls, /usr/bin/tail, PASSWD:/bin/kill

This would allow all three commands, but for /bin/kill, alok would have to re-authenticate.

Here is screenshot from my machine.

Controlling sudo re-authentication

Controlling sudo re-authentication