How to Grant Non-Root Users Specific Command Access Without Sudo: A BIND/DNS Administration Case Study


3 views

When managing DNS servers, having to prefix every administrative command with sudo creates friction in workflows. For our dns-manager user who needs to frequently execute BIND utilities like rndc and dnssec-keygen, this becomes particularly cumbersome.

Instead of granting full sudo access, we can assign specific capabilities to the binary:

# Set CAP_NET_BIND_SERVICE capability on rndc
sudo setcap 'cap_net_bind_service=+ep' /usr/sbin/rndc

# Verify the change
getcap /usr/sbin/rndc

For commands that don't require elevated privileges but need specific file access:

# Create a dedicated group for DNS administrators
sudo groupadd dnsadmin

# Add user to group
sudo usermod -aG dnsadmin dns-manager

# Set group ownership on BIND config files
sudo chown -R :dnsadmin /etc/bind
sudo chmod -R g+rw /etc/bind

For modern Linux distributions using PolicyKit:

# Create /etc/polkit-1/rules.d/10-dnsadmin.rules
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units" &&
        subject.user == "dns-manager" &&
        action.lookup("unit") == "named.service") {
        return polkit.Result.YES;
    }
});

When implementing any of these solutions:

  • Always use the principle of least privilege
  • Audit command usage through syslog
  • Consider SELinux/AppArmor contexts where applicable
  • Document all permission changes in your runbooks

After implementing changes, verify as the restricted user:

sudo -u dns-manager -i
rndc status  # Should work without sudo

In Linux administration, we often face situations where non-root users need to execute specific privileged commands. The common approach of granting sudo access can be problematic because:

  • It requires users to prefix every command with sudo
  • It grants unnecessary broad permissions
  • It complicates audit trails

For the DNS management scenario, we can implement a more elegant solution without using sudo. Here are two effective methods:

Method 1: Setting SUID on BIND Utilities

First, let's check the current permissions:


ls -l /usr/sbin/rndc
-rwxr-xr-x 1 root root 123456 Jan 1 12:34 /usr/sbin/rndc

We can modify the permissions to allow our dns-manager user to execute rndc without sudo:


sudo chown root:dns-manager /usr/sbin/rndc
sudo chmod 4750 /usr/sbin/rndc

Method 2: Creating a Dedicated Group

For commands like dnssec-keygen that need specific file access:


sudo groupadd dns-admins
sudo usermod -aG dns-admins dns-manager
sudo chgrp dns-admins /etc/bind
sudo chmod g+rwx /etc/bind

For even more granular control, we can use Linux capabilities:


sudo setcap 'cap_net_bind_service=+ep' /usr/sbin/rndc

After implementation, the dns-manager user should be able to run:


rndc reload
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com

Without any sudo prefix, while still being restricted from other privileged operations.

When implementing these changes:

  • Regularly audit file permissions
  • Monitor command execution logs
  • Keep the set of privileged commands minimal
  • Consider using SELinux or AppArmor for additional protection