Getting sudo permissions right
Daniel Nashed – 19 February 2026 11:10:19
sudo can be used in multiple ways. In general it is away to delegate root access for certain operations or to switch to root.
On Ubuntu traditionally no user can login directly with root remotely and you have to switch from your account to root using "sudo su -".
But it can be also used to delegate individual commands or even just some parameters of a command.
Narrowed whitelist
What is really important is that the list is as narrowed as possible.
You should only white list commands.
Allowing all commands and just have a black-list does not work well!
If you would only exclude some operations an admin could for example copy the "bash" binary and just run it to gain root access.
When using sudo to get a root bash session, you should make sure the session can only be opened asking for a password at least.
If you read one of my previous posts, there could be even a time limited authorization to use root using singed SSH keys. But this would need some planning and an application to securely issue those SSH certs after validating the user and approving the access.
Running distinct commands are usually OK without specifying a password.
Here is a simple example how it can look for a "notes" application user.
Starting and stopping all services on a Domino server should be perfectly OK for a Domino admin.
Eventually you also want the Domino user to reboot a machine or similar commands which can be only performed by root.
Also applying updates could be an operation potentially delegated to an application admin.
visudo
notes ALL= NOPASSWD: /usr/bin/systemctl start *, /usr/bin/systemctl stop *, /usr/bin/systemctl restart *, /usr/bin/systemctl status *, /usr/sbin/reboot
Even allowing all systemctrl operations could be used to gain higher access then intended. You could install your own services for example, which would run with root permissions.
Check other ways to allow permissions -- Example Docker
Think about every operation to allow and check if there are other ways to allow an operation.
For example for Docker you can just add a "notes" user to the "docker" group to allow a Domino admin to run all Docker commands.
usermod -aG docker notes
A good way to operated is to provide everything an application admin has to do to the application user (in our case notes) and let the admins perform restricted operation on need to do level.
Normal application administration does usually not require root.
You would need root permissions for example when updating Domino servers.
But there is also a way around that.
For a native installed Domino server there is AutoUpdate since Domino 14.5 which is authorized by an autoinstall binary which uses with SUID to gain root access to shutdown Domino and install an update.
Those operations are also narrowed down to this exact use case and the software to install is verifying the software to install end to end using a software.jwt agains a public key backed into the binary.
With Docker you can build an image with "notes" permissions and if you Git clone the repositories with the "notes" user there is no need for "root" to build or operate Domino on Docker.
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}