Category user management

sudo Command is an important command in Linux user commands list. It is a safe way to execute privilege tasks , as well all commands executed with sudo are logged for audit purposes.

Running sudo command does not require root credentials , it is also possible to set minute details of sudo access in /etc/sudoers file.

Syntax

The /etc/sudoers file gets read in one pass , multiple entries might match but the last one has the highest precedence. It is advised to set the aliases before using them.
Comments can be inserted with # , with an exception that uid are also prefixed with an # symbol

Aliases

There are 4 type of aliases in sudoer file that can be used to assign permission

• User Aliases
• Runas Aliases
• Command Aliases
• Host Aliases

Aliases are the name for a user or group of users , host or group of hosts , a command or a group of commands.
Syntax: Alias_type NAME = value1,value2 ...

User Aliases

 # Everyone in the system group is covered under alias ADMINS
 User_Alias ADMINS = %admin
 # The users "tom", "james", are covered by the WEBDEV alias
 User_Alias WEBDEV = tom, james

In case you want to exclude a user or group of user from permission use !

 # This matches anybody in the USERS alias who isn't in WEBMASTERS or ADMINS aliases
 User_Alias LIMITED_USERS = USERS, !WEBMASTERS, !ADMINS

Runas Aliases

It is similar to User Alias except for the the fact it does allow user to be mentioned by UID’s this helps to match both usernames of a single UID as practiced in certain cases.
Basically UID’s are used for root user Runas_Alias ROOT = #0


# ROOT alias for uid 0 , Note #0 is not a comment
Runas_Alias ROOT = #0
#ADMINS alias for the group admin + user root
Runas_Alias ADMINS = %admin, root

Command Aliases

Command aliases are lists of commands and directories. You can use this to specify a group of commands. If you specify a directory it will include any file within that directory but not in any subdirectories.

# All the power options commands
 Cmnd_Alias POWER_CMDS = /sbin/poweroff, /sbin/reboot, /sbin/halt
# Admin commands
 Cmnd_Alias ADMIN_CMDS = /usr/sbin/passwd, 
# User Management Commands 
Cmnd_Alias USERMAN_CMDS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/visudo

Host Aliases

A host alias is a list of hostname, ip address , networks , netgroups prefixed with a + plus symbol.
A host alias is a list of hostname, ip addresses, networks and netgroups (prefixed with a +).
Note: If you do not specify a netmask with a network the netmask of the hosts ethernet interface(s) will be used when matching, but it is a good practice to use netmask while configuring.

 # This is all the servers
 Host_Alias IAM_SERVERS = 10.10.2.5, 10.10.2.7, serverA
 # This is the whole network
 Host_Alias PUB_NET = 10.10.2.0/255.255.255.128
 # And this is every machine in the network that is not a server
 Host_Alias WORKSTATIONS = NETWORK, !SERVER
 # putting is all together
 # Host_Alias WORKSTATIONS = 10.10.2.0/255.255.255.128, !SERVERS

User Specifications

To make it all sense joining above declared aliases is the main part , this is where it is set WHO can run WHAT as WHO

  =   

 # LAMP Admins can run there commands provided they give password
 LAMPMIN LAMPSERVER= LAMP_CMDS
 # This lets run admin commands on all host under SERVER alias 
 ADMINS SERVERS= ADMIN_CMDS
 # This lets all the USERS run admin commands on the workstations provided 
# they give the root password or and admin password (using "sudo -u ")
 USERS WORKSTATIONS=(ADMINS) ADMIN_CMDS
 # This lets "patrick" run lamp commands without password on his local machine workstation10
 patrick workstation10= NOPASSWD: LAMP_CMDS
 # And this lets everybody print without requiring a password
 ALL ALL=(ALL) NOPASSWD: PRINTING_CMDS

Examples from Man Pages

 root            ALL = (ALL) ALL
 %wheel          ALL = (ALL) ALL
We let root and any user in group wheel run any command on any host as any user.

FULLTIMERS      ALL = NOPASSWD: ALL
Full time sysadmins may run any command on any host without authenticating.

WEBMASTERS  www = (www) ALL, (root) /usr/bin/su www
On the host www, any user in the WEBMASTERS User_Alias and may run any command
as user www (which owns the web pages) or simply su to www.

Important SUDO Commands

sudo -k

This command will remove the cached credential for the user and ask for the password in the next run sudo command.

sudo -l

Lists the current user permitted commands

sudo -Ul <user>

Lists the specified user permitted commands

sudo -v

Validates the user and increases the default cache for another default 15 min if that is set in configuration file.

sudo -V

Lists sudo version details and features

sudo -e

To edit the sudoers file , note export the preferred editor variable in bash before running this command.

export EDITOR=/bin/nano ;sudo visudo

In short sudo is a great feature in Nix operating system and it is a must known for system administrators.