sudo Command is an important command in Linux user commands list. It is a safe way to execute privilege tasks , as well all commands executed with sudo are logged for audit purposes.
Running sudo command does not require root credentials , it is also possible to set minute details of sudo access in /etc/sudoers file.
Syntax
The /etc/sudoers file gets read in one pass , multiple entries might match but the last one has the highest precedence. It is advised to set the aliases before using them.
Comments can be inserted with # , with an exception that uid are also prefixed with an # symbol
Aliases
There are 4 type of aliases in sudoer file that can be used to assign permission
- User Aliases
- Runas Aliases
- Command Aliases
- Host Aliases
Aliases are the name for a user or group of users , host or group of hosts , a command or a group of commands.
Syntax: Alias_type NAME = value1,value2 ...
User Aliases
# Everyone in the system group is covered under alias ADMINS User_Alias ADMINS = %admin # The users "tom", "james", are covered by the WEBDEV alias User_Alias WEBDEV = tom, james
In case you want to exclude a user or group of user from permission use !
# This matches anybody in the USERS alias who isn't in WEBMASTERS or ADMINS aliases User_Alias LIMITED_USERS = USERS, !WEBMASTERS, !ADMINS
Runas Aliases
It is similar to User Alias except for the the fact it does allow user to be mentioned by UID’s this helps to match both usernames of a single UID as practiced in certain cases.
Basically UID’s are used for root user Runas_Alias ROOT = #0
# ROOT alias for uid 0 , Note #0 is not a comment Runas_Alias ROOT = #0 #ADMINS alias for the group admin + user root Runas_Alias ADMINS = %admin, root
Command Aliases
Command aliases are lists of commands and directories. You can use this to specify a group of commands. If you specify a directory it will include any file within that directory but not in any subdirectories.
# All the power options commands Cmnd_Alias POWER_CMDS = /sbin/poweroff, /sbin/reboot, /sbin/halt # Admin commands Cmnd_Alias ADMIN_CMDS = /usr/sbin/passwd, # User Management Commands Cmnd_Alias USERMAN_CMDS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/visudo
Host Aliases
A host alias is a list of hostname, ip address , networks , netgroups prefixed with a + plus symbol.
A host alias is a list of hostname, ip addresses, networks and netgroups (prefixed with a +).
Note: If you do not specify a netmask with a network the netmask of the hosts ethernet interface(s) will be used when matching, but it is a good practice to use netmask while configuring.
# This is all the servers Host_Alias IAM_SERVERS = 10.10.2.5, 10.10.2.7, serverA # This is the whole network Host_Alias PUB_NET = 10.10.2.0/255.255.255.128 # And this is every machine in the network that is not a server Host_Alias WORKSTATIONS = NETWORK, !SERVER # putting is all together # Host_Alias WORKSTATIONS = 10.10.2.0/255.255.255.128, !SERVERS
User Specifications
To make it all sense joining above declared aliases is the main part , this is where it is set WHO can run WHAT as WHO
=
# LAMP Admins can run there commands provided they give password LAMPMIN LAMPSERVER= LAMP_CMDS # This lets run admin commands on all host under SERVER alias ADMINS SERVERS= ADMIN_CMDS # This lets all the USERS run admin commands on the workstations provided # they give the root password or and admin password (using "sudo -u ") USERS WORKSTATIONS=(ADMINS) ADMIN_CMDS # This lets "patrick" run lamp commands without password on his local machine workstation10 patrick workstation10= NOPASSWD: LAMP_CMDS # And this lets everybody print without requiring a password ALL ALL=(ALL) NOPASSWD: PRINTING_CMDS
Examples from Man Pages
root ALL = (ALL) ALL %wheel ALL = (ALL) ALL We let root and any user in group wheel run any command on any host as any user.
FULLTIMERS ALL = NOPASSWD: ALL Full time sysadmins may run any command on any host without authenticating.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www On the host www, any user in the WEBMASTERS User_Alias and may run any command as user www (which owns the web pages) or simply su to www.
Important SUDO Commands
sudo -k
This command will remove the cached credential for the user and ask for the password in the next run sudo command.
sudo -l
Lists the current user permitted commands
sudo -Ul <user>
Lists the specified user permitted commands
sudo -v
Validates the user and increases the default cache for another default 15 min if that is set in configuration file.
sudo -V
Lists sudo version details and features
sudo -e
To edit the sudoers file , note export the preferred editor variable in bash before running this command.
export EDITOR=/bin/nano ;sudo visudo
In short sudo is a great feature in Nix operating system and it is a must known for system administrators.
Leave a Reply