One of the challenges when adding a user in Linux environment is when you need to precisely define what they can or can not do. Some may find configuring authorisation in Linux a bit complicated. In my case I needed to add a user with privilege to execute some commands with sudo but without full root access.
The first thing is to create the user we want to customise:
and then create the key and later pass the id_rsa to him:
ssh-keygen -t dsa mkdir jack/.ssh chmod 700 jack/.ssh/ cp id_rsa.pub jack/.ssh/authorized_keys chmod 600 jack/.ssh/authorized_keys chown -R jack:jack jack/.ssh
Then you should edit the sudoers:
visudo -f /etc/sudoers.d/developers-configs
User_Alias DEVELOPERS = jack,john Cmnd_Alias SEELOGS = /usr/bin/tail /var/log/nginx/*.error, /usr/bin/tail /var/log/nginx/*.access, /bin/grep * /var/log/nginx/*.error, /bin/grep * /var/log/nginx/*.access Cmnd_Alias EDITCONFIGS = /bin/vi /etc/nginx/site.d/*.conf, /usr/bin/nano /etc/nginx/site.d/*.conf, /bin/cat /etc/nginx/site.d/*.conf Cmnd_Alias RESTARTNGINX = /sbin/service nginx status, /sbin/service php-fpm status, /sbin/service nginx restart, /sbin/service nginx configtest, /sbin/service php-fpm restart DEVELOPERS ALL = NOPASSWD: SEELOGS,EDITCONFIGS,RESTARTNGINX
We just create DEVELOPERS as alias for users and SEELOGS, EDITCONFIGS, RESTARTNGINX as alias of commands the user can excute; and then assigned SEELOGS, EDITCONFIGS and RESTARTNGINX privilages to DEVELOPERS. If you want users to be prompted for password you can remove the “NOPASSWD:” part.
Please note that depends on your OS you may need to add the user in “/etc/ssh/sshd_config” … for example “AllowUsers jack”.