I work at an e-commerce business. We have an old data center with a bit more than 100 old physical Redhat Linux servers that are candidates for virtualization. The tool to use for assessing these machines is VMware Capacity Planner, which uses ssh to run commands on the candidate Linux machines. Three of those commands require root level access. With us being an e-commerce shop, we are not going to give blanket root access to an outside vendor.
I explained this to both the vendor and to VMware technicians, all of whom suggested that I configure /etc/sudoers on the candidate machines with the following entry (assuming that there is a defined user named "cpcollector"):
cpcollector ALL=(ALL) ALL, NOPASSWD: ALL
What this entry does in /etc/sudoers is to allow a user named "cpcollector" to run anything and everything it wants to as if it were the root user, and without it having to issue a password! This is beyond stupid.
I was informed by the vendor that Capacity Planner runs only three commands which actually require root permissions:
dmidecode
ethtool
mii-tool
With this information in hand, I came up with a suitable set of entries for /etc/sudoers that gives the necessary level of access for Capacity Planner without compromising security. That's what /etc/sudoers is for. Add these entries to the bottom of your /etc/sudoers file using the visudo command. Be sure to not just cut 'n paste this as you need to actually put your machine's hostname in the Host_Alias line.
###########VMware Capacity Planner sudo access ###########
Cmnd_Alias VCP = /usr/sbin/dmidecode, /sbin/ethtool, /sbin/mii-tool
Host_Alias MDC_VCP_LIST=<your client hostname here>
User_Alias MDC_VCP_USERS=cpcollector
MDC_VCP_USERS MDC_VCP_LIST = NOPASSWD: VCP