sudoers - allow user to ssh as another user and run a specific command

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I am writing a Bash script to manage various JBoss instances across multiple servers and I can't seem to get my head around one particular issue. I have spent hours searching the internet but am probably more confused now than when I started off.



The script allows users to check the status of each instance as well as stop/start them. The script is situated in /opt and then for the stop/start part, it passes arguments to a child script situated under each /jboss/bin directory.



The users who are allowed to stop/stop already have permissions to run anything as the application user (jbossuser) and that user has ssh keys set up for the other servers. I have had no issues getting this part of the functionality to work.



I would like to allow any user (namely those who don't have the permissions to execute as the application user) to be able to check the status of each instance. For that I have:



status() 
pid=$(ssh -q -t jbossuser@$server "ps -ef


If the script hasn't be run with sudo -u jbossuser ./script.sh, which the standard users are not allowed to do, it prompts for jbossuser's password.



I know I need to add something to the sudoers file to allow those users to run this specific command, but I am not sure what I need to add. I have got as far as:



user ALL=(jbossuser) NOPASSWD: /usr/bin/ssh


But I want to restrict them to only be allowed to ssh to a handful of servers, only as jbossuser and limited to that ps -ef command.



Any help would be greatly appreciated :)









share







New contributor




hshah is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    0
    down vote

    favorite












    I am writing a Bash script to manage various JBoss instances across multiple servers and I can't seem to get my head around one particular issue. I have spent hours searching the internet but am probably more confused now than when I started off.



    The script allows users to check the status of each instance as well as stop/start them. The script is situated in /opt and then for the stop/start part, it passes arguments to a child script situated under each /jboss/bin directory.



    The users who are allowed to stop/stop already have permissions to run anything as the application user (jbossuser) and that user has ssh keys set up for the other servers. I have had no issues getting this part of the functionality to work.



    I would like to allow any user (namely those who don't have the permissions to execute as the application user) to be able to check the status of each instance. For that I have:



    status() 
    pid=$(ssh -q -t jbossuser@$server "ps -ef


    If the script hasn't be run with sudo -u jbossuser ./script.sh, which the standard users are not allowed to do, it prompts for jbossuser's password.



    I know I need to add something to the sudoers file to allow those users to run this specific command, but I am not sure what I need to add. I have got as far as:



    user ALL=(jbossuser) NOPASSWD: /usr/bin/ssh


    But I want to restrict them to only be allowed to ssh to a handful of servers, only as jbossuser and limited to that ps -ef command.



    Any help would be greatly appreciated :)









    share







    New contributor




    hshah is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I am writing a Bash script to manage various JBoss instances across multiple servers and I can't seem to get my head around one particular issue. I have spent hours searching the internet but am probably more confused now than when I started off.



      The script allows users to check the status of each instance as well as stop/start them. The script is situated in /opt and then for the stop/start part, it passes arguments to a child script situated under each /jboss/bin directory.



      The users who are allowed to stop/stop already have permissions to run anything as the application user (jbossuser) and that user has ssh keys set up for the other servers. I have had no issues getting this part of the functionality to work.



      I would like to allow any user (namely those who don't have the permissions to execute as the application user) to be able to check the status of each instance. For that I have:



      status() 
      pid=$(ssh -q -t jbossuser@$server "ps -ef


      If the script hasn't be run with sudo -u jbossuser ./script.sh, which the standard users are not allowed to do, it prompts for jbossuser's password.



      I know I need to add something to the sudoers file to allow those users to run this specific command, but I am not sure what I need to add. I have got as far as:



      user ALL=(jbossuser) NOPASSWD: /usr/bin/ssh


      But I want to restrict them to only be allowed to ssh to a handful of servers, only as jbossuser and limited to that ps -ef command.



      Any help would be greatly appreciated :)









      share







      New contributor




      hshah is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I am writing a Bash script to manage various JBoss instances across multiple servers and I can't seem to get my head around one particular issue. I have spent hours searching the internet but am probably more confused now than when I started off.



      The script allows users to check the status of each instance as well as stop/start them. The script is situated in /opt and then for the stop/start part, it passes arguments to a child script situated under each /jboss/bin directory.



      The users who are allowed to stop/stop already have permissions to run anything as the application user (jbossuser) and that user has ssh keys set up for the other servers. I have had no issues getting this part of the functionality to work.



      I would like to allow any user (namely those who don't have the permissions to execute as the application user) to be able to check the status of each instance. For that I have:



      status() 
      pid=$(ssh -q -t jbossuser@$server "ps -ef


      If the script hasn't be run with sudo -u jbossuser ./script.sh, which the standard users are not allowed to do, it prompts for jbossuser's password.



      I know I need to add something to the sudoers file to allow those users to run this specific command, but I am not sure what I need to add. I have got as far as:



      user ALL=(jbossuser) NOPASSWD: /usr/bin/ssh


      But I want to restrict them to only be allowed to ssh to a handful of servers, only as jbossuser and limited to that ps -ef command.



      Any help would be greatly appreciated :)







      ssh rhel sudo remote





      share







      New contributor




      hshah is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share







      New contributor




      hshah is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share



      share






      New contributor




      hshah is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 2 mins ago









      hshah

      101




      101




      New contributor




      hshah is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      hshah is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      hshah is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          hshah is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f478557%2fsudoers-allow-user-to-ssh-as-another-user-and-run-a-specific-command%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          hshah is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          hshah is a new contributor. Be nice, and check out our Code of Conduct.












          hshah is a new contributor. Be nice, and check out our Code of Conduct.











          hshah is a new contributor. Be nice, and check out our Code of Conduct.













           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f478557%2fsudoers-allow-user-to-ssh-as-another-user-and-run-a-specific-command%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?