Granting a User Access to Only apt: A Hands-On Experiment with sudoers

So, I wanted to give a specific user the ability to use apt, but nothing else. I knew this had to be done via the sudoers file, but I wasn’t exactly sure how. No worries—just open the file and figure it out, right? Opening the sudoers File I ran: sudo visudo This opened up the sudoers file, where I started looking for something that controlled user privileges. I saw this familiar-looking line: username ALL=(ALL:ALL) ALL At first, I had no idea what it meant, so I Googled it. Turns out, the last ALL means the user can run all commands. That was my hint—this is where I had to tweak things. Changing Access to apt So, I replaced ALL with apt, thinking this would restrict the user to only using apt: username ALL=(ALL:ALL) apt I saved the file, but when I tried to use apt with the restricted user, I got an error—something about a path issue. I wasn’t sure what was going wrong, so I experimented a bit. Changing apt to APT Next, I tried changing apt to uppercase APT, just in case: username ALL=(ALL:ALL) APT This time, the file saved successfully, but the user still couldn’t run apt. The error message clearly said something about no access to /usr/bin/apt. That was the real problem. The Final Fix: Specifying the Full Path So, I copied the path /usr/bin/apt from the error message and used it explicitly in the sudoers file: username ALL=(ALL:ALL) /usr/bin/apt Saved the file, tested it, and boom—it worked! Now, the user could run apt, but nothing else. Lessons Learned The sudoers file controls which commands a user can execute with sudo. The last ALL in ALL=(ALL:ALL) ALL defines which commands a user can run. Specifying just apt doesn’t work—you need the full path (/usr/bin/apt). Always test changes in a separate terminal before closing visudo, so you don’t lock yourself out! That’s it! Hope this helps if you ever need to restrict users to specific commands.

Feb 22, 2025 - 05:34

Granting a User Access to Only apt: A Hands-On Experiment with sudoers

So, I wanted to give a specific user the ability to use apt, but nothing else. I knew this had to be done via the sudoers file, but I wasn’t exactly sure how. No worries—just open the file and figure it out, right?

Opening the sudoers File

I ran:

sudo visudo

This opened up the sudoers file, where I started looking for something that controlled user privileges. I saw this familiar-looking line:

username ALL=(ALL:ALL) ALL

At first, I had no idea what it meant, so I Googled it. Turns out, the last ALL means the user can run all commands. That was my hint—this is where I had to tweak things.

Changing Access to apt

So, I replaced ALL with apt, thinking this would restrict the user to only using apt:

username ALL=(ALL:ALL) apt

I saved the file, but when I tried to use apt with the restricted user, I got an error—something about a path issue. I wasn’t sure what was going wrong, so I experimented a bit.

Changing apt to APT

Next, I tried changing apt to uppercase APT, just in case:

username ALL=(ALL:ALL) APT

This time, the file saved successfully, but the user still couldn’t run apt. The error message clearly said something about no access to /usr/bin/apt. That was the real problem.

The Final Fix: Specifying the Full Path

So, I copied the path /usr/bin/apt from the error message and used it explicitly in the sudoers file:

username ALL=(ALL:ALL) /usr/bin/apt

Saved the file, tested it, and boom—it worked! Now, the user could run apt, but nothing else.

Lessons Learned

The sudoers file controls which commands a user can execute with sudo.
The last ALL in ALL=(ALL:ALL) ALL defines which commands a user can run.
Specifying just apt doesn’t work—you need the full path (/usr/bin/apt).
Always test changes in a separate terminal before closing visudo, so you don’t lock yourself out!

That’s it! Hope this helps if you ever need to restrict users to specific commands.