Sudoers File In Linux

Sudoers File In Linux


Default sudo security policy plugin. The sudoers policy determines a user sudo privileges. The policy config file is /etc/sudoers. visudo command is the safe way to edit sudoers file.
root user and only user with sudo access can edit the file /etc/sudoers.

User Privileges

Syntax:
user host=(host:group) command

Giving user “test” sudo access
test ALL=(ALL:ALL) ALL

Now test user can execute any command as any user or any group from any host

Give sudo access to user test for a specific command:
test ALL=(ALL:ALL) /sbin/fdisk

Now test user can execute only fdisk command as any user or any group from any host. Still user need to provide password while executing sudo command.

In Red Hat group wheel has the sudo access. Any user added to group wheel can execute sudo command.
useradd -aG wheel test

Group Privileges

Groups are represented by a % sign before the name.
Syntax:
%group host=(user:group) commands

Example:
%wheel ALL=(ALL:ALL) ALL

User has to enter password when executing sudo command.

NOPASSWD
Using this option user don’t need to provide password while executing sudo command
Example:
test ALL=(ALL:ALL) NOPASSWD:/sbin/fdisk
Now no password will be asked while executing sudo command by user test.

Note: It is advisable to create a new file in /etc/sudoers.d directory rather than directly editing the sudoers file. All files in /etc/sudoers.d directory are automatically loaded.

Aliases:

There are found kind of alises. User_Alias, Runas_Alias, Host_Alias, Cmnd_Alias.
Syntax:
Alais_Type NAME = item1, item2, item3, …
where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and underscore characters (`_’). A NAME must start with an uppercase letter. It is possible to put several alias definitions of the same type on a single line, joined by a colon (`:’). E.g.,

Alias_Type NAME = item1, item2, item3 : NAME = item4, item5

Defaults:

Certain configuration options may be changed from their default values at run-time via one or more Default_Entry lines. These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Note that per-command entries may not include command line arguments.
Syntax:
Defaults [Options]

See SUDOERS OPTIONS for a list of supported Defaults parameters in sudoers manpage.

Examples: These are the examples directly taken from sudoers manpage.

# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim

# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper

# Host alias specification
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules

# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore,\
sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
/home/operator/bin/start_backups
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
/usr/local/bin/tcsh, /usr/bin/rsh,\
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less

Note that one command in the DUMPS Cmnd_Alias includes a sha224 digest, /home/operator/bin/start_backups. This is because the directory containing the script is writable by the operator user. If the script is modified (resulting in a digest mismatch) it will no longer be possible to run it via sudo.

# Override built-in defaults
Defaults syslog=auth
Defaults>root !set_logname
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
Defaults!PAGERS noexec

Giving privileges

root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL

We let root and any user in group wheel run any command on any host as any user.

FULLTIMERS ALL = NOPASSWD: ALL

Full time sysadmins (millert, mikef, and dowdy) may run any command on any host without authenticating themselves.

PARTTIMERS ALL = ALL

Part time sysadmins bostley, jwfox, and crawl) may run any command on any host but they must authenticate themselves first (since the entry lacks the NOPASSWD tag).

jack CSNETS = ALL

The user jack may run any command on the machines in the CSNETS alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it is a class C network. For the other networks in CSNETS, the local machine’s netmask will be used during matching.

lisa CUNETS = ALL

The user lisa may run any command on any host in the CUNETS alias (the class B network 128.138.0.0).

operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *