Granting Root Privileges on Occasion The sudo Command

It is often necessary to delegate some of the authority that root wields on a system. For a large system, this makes sense because no single individual will always be available to perform super user functions. The problem is that UNIX permissions come with an all-or-nothing authority. Enter sudo, an application that permits the assignment of one, several, or all of the root-only system commands.

Note

As mentioned earlier, the sudo command is pervasive in Ubuntu, because it is used by default. If you want to get to a root shell, and thereby removing the need to type sudo for every command, just enter sudo -i to get the root prompt. To return to a normal user prompt, enter exit and press Return.

After it is configured, using sudo is simple. An authorized user merely precedes the super user authority-needed command with the sudo command, like so:

$ sudo command

After getting the user's password, sudo checks the /etc/sudoers file to see whether that user is authorized to execute that particular command; if so, sudo generates a "ticket" for a specific length of time that authorizes the use of that command. The user is then prompted for his password (to preserve accountability and provide some measure of security), and then the command is run as if root had issued it. During the life of the ticket, the command can be used again without a password prompt. If an unauthorized user attempts to execute a sudo command, a record of the unauthorized attempt is kept in the system log and a mail message is sent to the super user.

Three man pages are associated with sudo: sudo, sudoers, and visudo. The first covers the command itself, the second the format of the /etc/sudoers file, and the third the use of the special editor for /etc/sudoers. You should use the special editing command because it checks the file for parse errors and locks the file to prevent others from editing it at the same time. The visudo command uses the vi editor, so you might need a quick review of the vi editing commands found in Chapter 5 in the section "Working with vi." You begin the editing by executing the visudo command with this:

$ sudo visudo

The default /etc/sudoers file looks like this:

# /etc/sudoers

# This file MUST be edited with the 'visudo' command as root.

# See the man page for details on how to write a sudoers file.

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults

Defaults !lecture,tty_tickets,!fqdn

# User privilege specification root ALL=(ALL) ALL

# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL

The basic format of a sudoers line in the file is as follows:

user host_computer=command

The user can be an individual user or a group (prepended by a % to identify the name as a group). The host_computer is normally all for all hosts on the network and localhost for the local machine, but the host computer can be referenced as a subnet or any specific host. The command in the sudoers line can be all, a list of specific commands, or a restriction on specific commands (formed by prepending a ! to the command). A number of options are available for use with the sudoers line, and aliases can be used to simplify the assignment of privileges. Again, the sudoers man page will give the details, but here are a few examples:

If we uncomment the line

any user we add to the wheel group can execute any command without a password.

Suppose that we want to give user shelley permission across the network to be able to add users with the graphical interface. We would add the line shelley ALL=/system-config-users or perhaps grant permission only on her local computer:

shelley 192.168.1.87=/usr/bin/system-config-users

If we want to give the editor group systemwide permission with no password required to delete files

%editors ALL=NOPASSWD: /bin/rm

If we want to give every user permission with no password required to mount the CD drive on the localhost

ALL localhost=NOPASSWD:/sbin/mount /dev/scd0 /mnt/cdrom /sbin/umount /mnt/cdrom

It is also possible to use wildcards in the construction of the sudoers file. Aliases can be used, too, to make it easier to define users and groups. Although the man page for sudoers contains some examples, http://www.komar.org/pres/sudo/toc.html provides illustrative notes and comments of sudo use at a large aerospace company. The sudo home page at http://www.sudo.ws/ is also a useful resource for additional explanations and examples.

The following command presents users with a list of the commands they are entitled to use:

Was this article helpful?

0 0

Post a comment