Configuring sudo
Configuring sudo is where a lot of people get a bit confused. The configuration is not too difficult if you take small steps and test each part as you build the configuration file. If you look in /etc after the installation is complete, you will see a file called sudoers. The sudoers file is used to configure the commands and users for the sudo program. Be very careful to never directly edit the sudoers file! A special program is supplied that has a wrapper around the vi editor called visudo, or vi sudo.
The visudo program resides in /usr/local/sbin by default. The nice thing about visudo is that it checks the /etc/sudoers file for any errors before saving the file. If errors are detected, the visudo program will tell you exactly what the error is and in most cases the line the error is on. If you directly edit the /etc/sudoers file and you make a mistake, the editor will just let you save the file, with the mistake, and it can be difficult to find the error. The visudo program checks for the correct file format and ensures that the command/user references are consistent. If you make a mistake with a user name, the visudo editor will not catch the mistake, but this type of error should be easy to find and correct after an initial run.
I am enclosing two samples of a / etc/sudoers file for you to use as a template in Listings 14.5 and 14.6.
NOTE The sudoers file in Listing 14.5 is used with the permission of Todd Miller at www.courtesan.com and is included in the sudo distribution as a sample. Thank you, Todd!
# Sample /etc/sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.
# User alias specification ##
User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim ##
# Runas alias specification ##
Runas_Alias Runas_Alias
OP = root, operator DB = oracle, sybase
# Host alias specification ##
SPARC = bigtime, eclipse, moet, anchor:\ SGI = grolsch, dandelion, black:\ ALPHA = widget, thalamus, foobar:\ HPPA = boa, nag, python CUNETS = 128.138.0.0/255.255.0.0
CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 SERVERS = master, mail, www, ns CDROM = orion, perseus, hercules
Host_Alias
Host_Alias Host_Alias Host_Alias Host_Alias
Cmnd_Alias
Cmnd_Alias Cmnd_Alias Cmnd_Alias Cmnd_Alias Cmnd_Alias Cmnd_Alias specification
Cmnd_Alias Cmnd_Alias
DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore,
/usr/sbin/rrestore, /usr/bin/mt KILL = /usr/bin/kill
PRINTING = /usr/sbin/lpc, /usr/bin/lprm SHUTDOWN = /usr/sbin/shutdown HALT = /usr/sbin/halt, /usr/sbin/fasthalt REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ /usr/local/bin/tcsh, /usr/bin/rsh, \ /usr/local/bin/zsh SU = /usr/bin/su
VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ /usr/bin/chfn
# Override builtin defaults ##
Defaults
Defaults:FULLTIMERS Defaults:millert [email protected]
syslog=auth
!lecture
!authenticate log_year, logfile=/var/log/sudo.log
# User specification ##
# root and users in group wheel can run anything on any machine
# as any user root %wheel
# full time sysadmins can run anything on any machine without a password FULLTIMERS ALL = NOPASSWD: ALL
# part time sysadmins may run anything but need a password PARTTIMERS ALL = ALL
# jack may run anything on machines in CSNETS jack CSNETS = ALL
# lisa may run any command on any host in CUNETS (a class B network) lisa CUNETS = ALL
# operator may run maintenance commands and anything in /usr/oper/bin/ operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
/usr/oper/bin/
# joe may su only to operator joe ALL = /usr/bin/su operator
# pete may change passwords for anyone but root on the hp snakes pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
# bob may run anything on the sparc and sgi machines as any user
# listed in the Runas_Alias "OP" (ie: root and operator) bob SPARC = (OP) ALL : SGI = (OP) ALL
# jim may run anything on machines in the biglab netgroup jim +biglab = ALL
# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
# fred can run commands as oracle or sybase without a password fred ALL = (DB) NOPASSWD: ALL
# on the alphas, john may su to anyone but root and flags are not allowed john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias jen ALL, !SERVERS = ALL
# jill can run any commands in the directory /usr/bin/, except for
# those in the SU and SHELLS aliases.
# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve CSNETS = (operator) /usr/local/op_commands/
# matt needs to be able to kill things on his workstation when
# they get hung.
matt valkyrie = KILL
# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
# anyone can mount/unmount a CD-ROM on the machines in the CDROM alias ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
Listing 14.5 Sample /etc/sudoers file #1. (continued)
# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.
# Users Identification:
# All ROOT access:
# d7742 - Michael
# Restricted Access to: mount umount and exportfs
# Restricted Access to: Start and stop Fasttrack Web Server
# d7525 - Brinker
# Restricted OPERATIONS access
# d6331 - Sutter
# d6814 - Martin
# d8422 - Smith
# d9226 - Milando
# d9443 - Summers
# d0640 - Lawson
# d2105 - Fanchin
# d2188 - Grizzle
# d3408 - Foster
# d3551 - Dennis
# d3883 - Nations
# d6290 - Alexander
# d6635 - Wright
# d3916 - Chatman
# d6782 - Scott
# d6810 - Duckery
# d6811 - Wells
# d6817 - Gilliam
# d5123 - Crynick
# d7504 - Davis
# d7505 - McCaskey
# d7723 - Rivers
# Host alias specification Host_Alias LOCAL=yogi
# User alias specification
User_Alias NORMAL=d7742,d7537,d752 6,d6029,d7204,d107 6,d77 64,d7808 User_Alias ADMIN=e17742,d7211,d6895,d8665,d7539,b003 User_Alias ORACLE=d7742 User_Alias SAP=d7742
User_Alias OPERATOR=d7742,d6895,d6331,d6814,d8422,d922 6,d9443,d0640, d2105,d2188,d3408,d3551,d3883,d6290,d2749,d6635,d3916,d6782,d6810.
d6811,d6817,d5123,d7504,d7505,d7723 User_Alias FASTTRACK=d3920,d7525,d7794
# Cmnd alias specification
Cmnd_Alias MNT=/usr/bin/mount
Cmnd_Alias UMNT=/usr/bin/umount
Cmnd_Alias EXP_FS=/usr/bin/exportfs
Cmnd_Alias KILL=/usr/bin/kill
Cmnd_Alias ROOT_SU=/usr/bin/su -
Cmnd_Alias SU_ROOT=/usr/bin/su - root
Cmnd_Alias SUROOT=/usr/bin/su root
Cmnd_Alias ORACLE_SU=/usr/bin/su - oracle
Cmnd_Alias SAP_SU=/usr/bin/su - sap
Cmnd_Alias TCPDUMP=/usr/sbin/tcpdump
Cmnd_Alias ERRPT=/usr/bin/errpt
Cmnd_Alias SVRMGRL=/oracle/product/8.0.5/bin/svrmgrl
Cmnd_Alias RSH_UPDATE=/usr/local/bin/rsh_update.ksh
Cmnd_Alias START_FT_YOGI=/usr/netscape/httpd-yogi/start
Cmnd_Alias STOP_FT_YOGI=/usr/netscape/httpd-yogi/stop
Cmnd_Alias START_FT_DINO=/usr/netscape/httpd-dino/start
Cmnd_Alias STOP_FT_DINO=/usr/netscape/httpd-dino/stop
Cmnd_Alias START_WSADM=/usr/netscape/start-admin
Cmnd_Alias STOP_WSADM=/usr/netscape/stop-admin
# User privilege specification
# FULL ROOT ACCESS!!!!!! (BE CAREFUL GRANTING FULL ROOT!!!!!!!) root ALL=(ALL) ALL
d7742 ALL=(ALL) ALL # Michael
# Only mount, umount and exportfs NORMAL LOCAL=MNT,UMNT,EXP_FS
# Some Limited Sys Admin Functions
ADMINLOCAL=MNT,UMNT,KILL,ORACLE_SU,SAP_SU,TCPDUMP,ERRPT,ROOT_SU: \ LOCAL=SU_ROOT,SUROOT,EXP_FS
# Some Operator Functions OPERATOR LOCAL=RSH_UPDATE
# Some FastTrack/WebAdm Functions FASTTRACK
LOCAL=START_FT_E1,STOP_FT_E1,START_FT_E2,STOP_FT_E2,START_WSADM,
STOP_WSADM
# Override Defaults
# Change the default location of the SUDO log file Defaults logfile=/var/adm/sudo.log
Listing 14.6 Sample /etc/sudoers file #2. (continued)
As you can see by the two sample /etc/sudoers files, you can get as detailed as you want. As you look at these files, notice that there are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias, and Cmd_Alias. The use of each alias type is listed next.
A User_Alias is a list that can contain any combination of usernames, UID (with a "#" prefix), system groups (with a "%" prefix), netgroups (with a "+" prefix), and other user-defined aliases. Any of these can be prefixed with the NOT operator, "!", to negate the entry.
A Runas_Alias can contain any of the same elements as the User_Alias; the only difference is that you use Runas_Alias instead of User_Alias in the configuration. The Runas_Alias allows execution of a command as a user other than root.
A Host_Alias is a list of hostnames, IP addresses, or netgroups (with a "+" prefix). The Host_Alias also supports the NOT operator, "!", to negate an entry. You will need to use the fully qualified DNS name if the hostname command on any machine returns the name of the machine in a fully qualified DNS format. The visudo editor will not catch this "error."
A Cmnd_Alias is list of one or more commands specified by a full pathname, not just the filename. You can also specify directories and other aliases to commands. The command alone will allow command arguments to the command, but you can disable command arguments using double quotes (" "). If a directory is specified a user can execute any command within that directory, but not any subdirectories. Wildcards are allowed, but be very careful to ensure that the wildcard is working as expected.
I am not going to discuss every piece of sudo because very detailed documentation is included with the sudo distribution, and I need to limit my page count in this book. Our next step is to look at how to use sudo and how to use sudo in a shell script.
Continue reading here: Using sudo
Was this article helpful?