Skip to main content

Command - Cmnd_Alias

What is Cmnd_Alias?

Cmnd_Alias (Command Alias) is a feature in /etc/sudoers (and files in /etc/sudoers.d/) that lets you group multiple commands under a single, easy-to-read name.

Instead of repeating long command paths many times, you define the group once and then reference the alias name in your user permission rules. This makes the sudoers configuration:

  • Much cleaner and more readable
  • Easier to maintain (add/remove commands in one place)
  • Less error-prone

It is one of four main alias types in sudoers:

  • User_Alias — groups of users
  • Host_Alias — groups of hosts
  • Runas_Alias — groups of users to run as
  • Cmnd_Alias — groups of commands (this one)

Basic Syntax

Cmnd_Alias  ALIAS_NAME = /full/path/to/command1, \
                       /full/path/to/command2 arg1 arg2, \
                       /full/path/to/command3

Rules:

  • Alias name must start with a capital letter and can contain uppercase letters, numbers, and underscores (e.g., API_SERVICE, SYSTEMCTL_API).
  • Always use full absolute paths to commands (never just systemctl).
  • You can continue long lines with a backslash \.
  • You can include other Cmnd_Alias names inside another one.

Example for Your api.service (Recommended Version)

Create or edit the file with sudo visudo -f /etc/sudoers.d/deploy-api:

# Command alias for managing the api.service safely
Cmnd_Alias API_SERVICE_CMDS = /usr/bin/systemctl start api.service, \
                             /usr/bin/systemctl stop api.service, \
                             /usr/bin/systemctl restart api.service, \
                             /usr/bin/systemctl status api.service

# Grant the deploy user passwordless access to only these commands
deployuser ALL=(ALL) NOPASSWD: API_SERVICE_CMDS

This is cleaner than listing the four commands directly on the user line.

More Flexible Example (Allow Any Action on the Specific Service)

If you want the deploy user to run any systemctl action on api.service (start, stop, restart, status, reload, enable, etc.):

Cmnd_Alias API_SERVICE_CMDS = /usr/bin/systemctl * api.service

deployuser ALL=(ALL) NOPASSWD: API_SERVICE_CMDS

The * acts as a wildcard for arguments. Be careful — this is slightly broader but still restricted to only the api.service unit.

Even Better: Using Wildcards Safely

You can also allow common patterns:

Cmnd_Alias SYSTEMD_SERVICE = /usr/bin/systemctl start api.service, \
                            /usr/bin/systemctl stop api.service, \
                            /usr/bin/systemctl restart api.service, \
                            /usr/bin/systemctl reload api.service, \
                            /usr/bin/systemctl status api.service

# Or more permissive but still limited:
Cmnd_Alias SYSTEMD_SERVICE = /usr/bin/systemctl * api.service

How to Use It in Your Setup

  • Create the file:
sudo visudo -f /etc/sudoers.d/10-deploy-api
  • Paste the Cmnd_Alias + user rule above.
  • Set correct permissions:
sudo chmod 0440 /etc/sudoers.d/10-deploy-api
  • Test it:
sudo -u deployuser sudo -l
  1. You should see the alias listed.

Then update your PowerShell script to use deployuser (instead of root).

Why This Is Better Than the Original Line

Your original line:

deployuser ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop api.service, /usr/bin/systemctl restart api.service, /usr/bin/systemctl status api.service

Works fine, but using Cmnd_Alias is preferred when:

  • You have more than 2–3 commands
  • You might want to add more actions later
  • You manage multiple services (you can create one alias per service)

Back to top