willie0-360
asked on
Centos 7 User to Start Apache, MariaDB, LDAP
Hello Experts:
I am setting up a CentOS 7 box. I need to have users apache, mysql, and ldap be able to restart, stop, start the HTTPD, MariaDB, and openldap on this server. Also, I need these users to edit their repective configuration files.
Let us say I login as user barry. I should be able to sudo to either the apache user, the mysql user, or the ldap user to do the tasks above.
This is what I have in my /etc/sudoers file, but I can only get to change from user barry to either user apache, ldap or mysql, but I cannot run any of the commands:
For HTTPD:
User_Alias WEBUSER_USERS = barry
Host_Alias WEBSERVER01 = server01
Cmnd_Alias SERVICE_HTTPD = /sbin/systemctl start httpd, /sbin/systemclt status -l httpd, \
/sbin/systemctl stop httpd, /sbin/systemctl restart httpd, /bin/systemctl start httpd, \
/bin/systemctl status httpd, /bin/systemctl stop httpd, /bin/systemctl restart httpd
Cmnd_Alias SUAPACHE = /usr/bin/sudo apache, /usr/bin/sudo - apache,/bin/su - apache, /bin/su apache
Cmnd_Alias SUCOPY = /usr/bin/cp
Cmnd_Alias SUVIMHTTPD = /bin/vim
WEBUSER_USERS WEBSERVER01 = SERVICE_HTTPD
WEBUSER_USERS WEBSERVER01 = SUAPACHE,SUCOPY,SUVIMHTTPD
For LDAP:
User_Alias LDAPUSER_USERS = barry
Host_Alias LDAPSERVER01 = SERVER01
Cmnd_Alias SERVICE_SLAPD = /sbin/systemctl start slapd, /sbin/systemclt status -l slapd, /sbin/systemctl stop slapd, /sbin/systemctl restart slapd, /bin/systemctl start slapd, /bin/systemctl status slapd, /bin/systemctl stop slapd, /bin/systemctl restart slapd
Cmnd_Alias SULAPD = /usr/bin/sudo ldap, /usr/bin/sudo - ldap,/bin/su - ldap, /bin/su ldap
LDAPUSER_USERS LDAPSERVER01 = SERVICE_SLAPD
LDAPUSER_USERS LDAPSERVER01 = SULAPD
I am setting up a CentOS 7 box. I need to have users apache, mysql, and ldap be able to restart, stop, start the HTTPD, MariaDB, and openldap on this server. Also, I need these users to edit their repective configuration files.
Let us say I login as user barry. I should be able to sudo to either the apache user, the mysql user, or the ldap user to do the tasks above.
This is what I have in my /etc/sudoers file, but I can only get to change from user barry to either user apache, ldap or mysql, but I cannot run any of the commands:
For HTTPD:
User_Alias WEBUSER_USERS = barry
Host_Alias WEBSERVER01 = server01
Cmnd_Alias SERVICE_HTTPD = /sbin/systemctl start httpd, /sbin/systemclt status -l httpd, \
/sbin/systemctl stop httpd, /sbin/systemctl restart httpd, /bin/systemctl start httpd, \
/bin/systemctl status httpd, /bin/systemctl stop httpd, /bin/systemctl restart httpd
Cmnd_Alias SUAPACHE = /usr/bin/sudo apache, /usr/bin/sudo - apache,/bin/su - apache, /bin/su apache
Cmnd_Alias SUCOPY = /usr/bin/cp
Cmnd_Alias SUVIMHTTPD = /bin/vim
WEBUSER_USERS WEBSERVER01 = SERVICE_HTTPD
WEBUSER_USERS WEBSERVER01 = SUAPACHE,SUCOPY,SUVIMHTTPD
For LDAP:
User_Alias LDAPUSER_USERS = barry
Host_Alias LDAPSERVER01 = SERVER01
Cmnd_Alias SERVICE_SLAPD = /sbin/systemctl start slapd, /sbin/systemclt status -l slapd, /sbin/systemctl stop slapd, /sbin/systemctl restart slapd, /bin/systemctl start slapd, /bin/systemctl status slapd, /bin/systemctl stop slapd, /bin/systemctl restart slapd
Cmnd_Alias SULAPD = /usr/bin/sudo ldap, /usr/bin/sudo - ldap,/bin/su - ldap, /bin/su ldap
LDAPUSER_USERS LDAPSERVER01 = SERVICE_SLAPD
LDAPUSER_USERS LDAPSERVER01 = SULAPD
Standard practice is to only allow 'root' to do those things.
ASKER
This is something I learned how to do on CentOS 5/6 from senior Linux admins. I need some users to be able to become the apache, mysql, and ldap users, depending on the need, but I am not getting it right on CentOS 7.
We are trying to keep people from having to do sudo to become root.
Thanks.
We are trying to keep people from having to do sudo to become root.
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your comments. We are using root to run these services.