You want to ensure that your user is not able to make changes to what is being allowed to run. For example, by attempting to add a script owned by your user (~/.bash_aliases/shutdown2h) to be run as root via sudo without a password, you would allow any arbitrary command to be run. Simply edit that file and run it. It would be the same as allowing the user to run any command via sudoers. For example, the user would edit the file to read now instead of -h +120 and shut down the machine immediately.
Instead, it would be a better idea to add a script owned by the root user to the system, probably in /usr/local/bin/. For example, /usr/local/bin/shutdown2h, executable by everybody, but writable only by root. This way, you ensure that the user can only run the specific script, and that script cannot be changed by them to run something else. The path you place the script should be in your $PATH, which /usr/local/bin should be in by default.
- Create the script
sudo vim /usr/local/bin/shutdown2h
#!/bin/bash
shutdown -h +120
- Allow execution of the script
sudo chmod +x /usr/local/bin/shutdown2h
- Allow USER to run specific script
sudo visudo
# Add this entry
USER ALL=(ALL) NOPASSWD: /usr/local/bin/shutdown2h
Now, your user can run sudo shutdown2h without being asked for a password and be sure that that user will only be able to run shutdown -h +120 without a password.
Also, when making sudoers entries, be sure to provide the full path to the executable/script, and don't use any shortcuts like ~/ or $HOME.
