In many situations we would like to give users access to a particular command without exposing too much access due to security concerns.
\nOne particular example will be the docker command. After a docker daemon has been installed, one can invoke the command either as a root or as a member in the docker group.
\nThe problem with second approach is that whenever you have a new user, you will have to add it into the docker group. Wouldn't it be better if the primary group for the user simply works?
\nWe can make use of the PAM installed on Linux to achieve this.<\/p>\n
In the code block below, it makes use of Putting everything together, you just have to add the following into In many situations we would like to give users access to a particular command without exposing too much access due to security concerns. One particular example will be the docker command. After a docker daemon has been installed, one can invoke the command either as a root or as a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42],"tags":[],"_links":{"self":[{"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/posts\/562"}],"collection":[{"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/comments?post=562"}],"version-history":[{"count":4,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/posts\/562\/revisions"}],"predecessor-version":[{"id":567,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/posts\/562\/revisions\/567"}],"wp:attachment":[{"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/media?parent=562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/categories?post=562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/tags?post=562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}pam_succeed_if.so<\/code> module to check if the user is user_name<\/code>. If it is true, it will simply ignore the result and proceed to the next line. If it is false, which means we are not attempting to authenticate as user_name<\/code>, it will simply skip the next two lines (this is configured by setting default=2<\/code>, adjust this number according to the number of lines that you want to skip). In the two lines that follow, it will check if the user that invoked the su<\/code> command is part of the group_name<\/code> that you have defined.<\/p>\nauth [success=ignore default=2] pam_succeed_if.so user = <user_name>\nauth sufficient pam_succeed_if.so use_uid user ingroup <group_name>\nauth sufficient pam_succeed_if.so use_uid user ingroup <group_name><\/code><\/pre>\n\/etc\/pam.d\/su<\/code>. This will check if the user, who is invoking su - docker<\/code>, belongs to the group staff<\/code> and\/or system<\/code>.<\/p>\nauth sufficient pam_rootok.so # Add the next three lines below this line\nauth [success=ignore default=2] pam_succeed_if.so user = docker\nauth sufficient pam_succeed_if.so use_uid user ingroup staff\nauth sufficient pam_succeed_if.so use_uid user ingroup system<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"