Negate "rpm" for restricted sudo access

Hey folks,

I’ve got a requirement to give sudo access for a user just to install a some specific “rpm’s” and negate anything else like he can’t install any other package or can’t add spaces etc (this is to do via yum & zypper)

for e.g if pkg name is “ & my_package.def.rpm” will below sudo good enough? suggestions please…thanku!!!

my_user ALL=NOPASSWD: /bin/rpm -* my_package.*

What is your actual problem?

sorry if there some confusion… basically the above sudoers works which I tested too, but I’m thinking of any possibilities where the user can do more than what is intended to.

example for “cat” command were I already have this negation and it works. so here the user can only cat to files in /abc/def/* and rest all is denied. its kind of explicitly defining I guess. I’m looking something similar for “rpm.”

cmd alias bau_cmds = /usr/bin/cat /abc/def/*
cmd alias neg_cat = !/bin/cat /* , !/bin/cat * / *,

User Hosts RunAs Tags:Command

user host = (RUNAS) NOPASSWD:bau_cmds, neg_cat

please let me know if things are still unclear, thanks for you patience.

I tried to get at the question, of what you are trying to solve, just as explained in the link I provided in my first post.

Could you please explain, what you are actually trying to solve? Why do you need these restrictions? Why do you need such a user? What is the point of doing this?

We first need to understand the cause of your issue, before attempting a solution. Maybe there is a better solution out there? :smiley:

1 Like

as I mentioned earlier its a requirement at my working place. the user is a monitoring app team member. they got sudo access to all system to manage there app and now they require access to install some additional rpm pkgs.

So here I’m trying to give them access just to install those pkgs but at the same time proactively make sure that they don’t do anything else.

This might be the answer


1 Like

well I don’t get a solution, but yes some good info where I can do some more research and figure out my way… thanks Neville

Use google for something like restrict sudo commands
You will bring up all sorts of useful links

1 Like

What does that mean?

Anyway, this is one simple way to do it:

However, I would recommend looking at other solution ideas, rather than staying with your initial idea forever, without thinking about a better one.

For example, if the packages are always the same, why not pre-install them?
Or, if you really want the “restricted sudo access” permission, then you can allow the user to run a certain script, which allows them to only install packages.
However, that’s not a good solution. It’s not only cumbersome and hacky, it’s also insecure.