super user setup in Ubuntu Debian distribution

super user setup in Ubuntu Debian distribution

super user setup in Ubuntu Debian distribution

sudo Command is an important command in Linux user commands list. It is a safe way to execute privilege tasks , as well all commands executed with sudo are logged for audit purposes.

Running sudo command does not require root credentials , it is also possible to set minute details of sudo access in /etc/sudoers file.

Syntax

The /etc/sudoers file gets read in one pass , multiple entries might match but the last one has the highest precedence. It is advised to set the aliases before using them.
Comments can be inserted with # , with an exception that uid are also prefixed with an # symbol

Aliases

There are 4 type of aliases in sudoer file that can be used to assign permission

  • User Aliases
  • Runas Aliases
  • Command Aliases
  • Host Aliases

Aliases are the name for a user or group of users , host or group of hosts , a command or a group of commands.
Syntax: Alias_type NAME = value1,value2 ...

User Aliases
 # Everyone in the system group is covered under alias ADMINS
 User_Alias ADMINS = %admin
 # The users "tom", "james", are covered by the WEBDEV alias
 User_Alias WEBDEV = tom, james

In case you want to exclude a user or group of user from permission use !

 # This matches anybody in the USERS alias who isn't in WEBMASTERS or ADMINS aliases
 User_Alias LIMITED_USERS = USERS, !WEBMASTERS, !ADMINS
Runas Aliases

It is similar to User Alias except for the the fact it does allow user to be mentioned by UID’s this helps to match both usernames of a single UID as practiced in certain cases.
Basically UID’s are used for root user Runas_Alias ROOT = #0

# ROOT alias for uid 0 , Note #0 is not a comment
Runas_Alias ROOT = #0
#ADMINS alias for the group admin + user root
Runas_Alias ADMINS = %admin, root
Command Aliases

Command aliases are lists of commands and directories. You can use this to specify a group of commands. If you specify a directory it will include any file within that directory but not in any subdirectories.

# All the power options commands
 Cmnd_Alias POWER_CMDS = /sbin/poweroff, /sbin/reboot, /sbin/halt
# Admin commands
 Cmnd_Alias ADMIN_CMDS = /usr/sbin/passwd, 
# User Management Commands 
Cmnd_Alias USERMAN_CMDS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/visudo
Host Aliases

A host alias is a list of hostname, ip address , networks , netgroups prefixed with a + plus symbol.
A host alias is a list of hostname, ip addresses, networks and netgroups (prefixed with a +).
Note: If you do not specify a netmask with a network the netmask of the hosts ethernet interface(s) will be used when matching, but it is a good practice to use netmask while configuring.

 # This is all the servers
 Host_Alias IAM_SERVERS = 10.10.2.5, 10.10.2.7, serverA
 # This is the whole network
 Host_Alias PUB_NET = 10.10.2.0/255.255.255.128
 # And this is every machine in the network that is not a server
 Host_Alias WORKSTATIONS = NETWORK, !SERVER
 # putting is all together
 # Host_Alias WORKSTATIONS = 10.10.2.0/255.255.255.128, !SERVERS
User Specifications

To make it all sense joining above declared aliases is the main part , this is where it is set WHO can run WHAT as WHO

  =   
 # LAMP Admins can run there commands provided they give password
 LAMPMIN LAMPSERVER= LAMP_CMDS
 # This lets run admin commands on all host under SERVER alias 
 ADMINS SERVERS= ADMIN_CMDS
 # This lets all the USERS run admin commands on the workstations provided 
# they give the root password or and admin password (using "sudo -u ")
 USERS WORKSTATIONS=(ADMINS) ADMIN_CMDS
 # This lets "patrick" run lamp commands without password on his local machine workstation10
 patrick workstation10= NOPASSWD: LAMP_CMDS
 # And this lets everybody print without requiring a password
 ALL ALL=(ALL) NOPASSWD: PRINTING_CMDS

 

Examples from Man Pages
 root            ALL = (ALL) ALL
 %wheel          ALL = (ALL) ALL
We let root and any user in group wheel run any command on any host as any user.
FULLTIMERS      ALL = NOPASSWD: ALL
Full time sysadmins may run any command on any host without authenticating.
WEBMASTERS  www = (www) ALL, (root) /usr/bin/su www
On the host www, any user in the WEBMASTERS User_Alias and may run any command
as user www (which owns the web pages) or simply su to www.
Important SUDO Commands

sudo -k

This command will remove the cached credential for the user and ask for the password in the next run sudo command.

sudo -l

Lists the current user permitted commands

sudo -Ul <user>

Lists the specified user permitted commands

sudo -v

Validates the user and increases the default cache for another default 15 min if that is set in configuration file.

sudo -V

Lists sudo version details and features

sudo -e

To edit the sudoers file , note export the preferred editor variable in bash before running this command.

export EDITOR=/bin/nano ;sudo visudo

In short sudo is a great feature in Nix operating system and it is a must known for system administrators.

Leave a Reply

Copyright © 2021 | SaitCare Hub SDN BHD