Sudoers File In Linux
Default sudo security policy plugin. The sudoers policy determines a user sudo privileges. The policy config file is /etc/sudoers. visudo command is the safe way to edit sudoers file.
root user and only user with sudo access can edit the file /etc/sudoers.
user host=(host:group) command
Giving user “test” sudo access
test ALL=(ALL:ALL) ALL
Now test user can execute any command as any user or any group from any host
Give sudo access to user test for a specific command:
test ALL=(ALL:ALL) /sbin/fdisk
Now test user can execute only fdisk command as any user or any group from any host. Still user need to provide password while executing sudo command.
In Red Hat group wheel has the sudo access. Any user added to group wheel can execute sudo command.
useradd -aG wheel test
Groups are represented by a % sign before the name.
%group host=(user:group) commands
%wheel ALL=(ALL:ALL) ALL
User has to enter password when executing sudo command.
Using this option user don’t need to provide password while executing sudo command
test ALL=(ALL:ALL) NOPASSWD:/sbin/fdisk
Now no password will be asked while executing sudo command by user test.
Note: It is advisable to create a new file in /etc/sudoers.d directory rather than directly editing the sudoers file. All files in /etc/sudoers.d directory are automatically loaded.
There are found kind of alises. User_Alias, Runas_Alias, Host_Alias, Cmnd_Alias.
Alais_Type NAME = item1, item2, item3, …
where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and underscore characters (`_’). A NAME must start with an uppercase letter. It is possible to put several alias definitions of the same type on a single line, joined by a colon (`:’). E.g.,
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
Certain configuration options may be changed from their default values at run-time via one or more Default_Entry lines. These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Note that per-command entries may not include command line arguments.
See SUDOERS OPTIONS for a list of supported Defaults parameters in sudoers manpage.
Examples: These are the examples directly taken from sudoers manpage.
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper
# Host alias specification
Host_Alias CUNETS = 126.96.36.199/255.255.0.0
Host_Alias CSNETS = 188.8.131.52, 184.108.40.206/24, 220.127.116.11
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Note that one command in the DUMPS Cmnd_Alias includes a sha224 digest, /home/operator/bin/start_backups. This is because the directory containing the script is writable by the operator user. If the script is modified (resulting in a digest mismatch) it will no longer be possible to run it via sudo.
# Override built-in defaults
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
We let root and any user in group wheel run any command on any host as any user.
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (millert, mikef, and dowdy) may run any command on any host without authenticating themselves.
PARTTIMERS ALL = ALL
Part time sysadmins bostley, jwfox, and crawl) may run any command on any host but they must authenticate themselves first (since the entry lacks the NOPASSWD tag).
jack CSNETS = ALL
The user jack may run any command on the machines in the CSNETS alias (the networks 18.104.22.168, 22.214.171.124, and 126.96.36.199). Of those networks, only 188.8.131.52 has an explicit netmask (in CIDR notation) indicating it is a class C network. For the other networks in CSNETS, the local machine’s netmask will be used during matching.
lisa CUNETS = ALL
The user lisa may run any command on any host in the CUNETS alias (the class B network 184.108.40.206).
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/