Using SUDO - A beginner's guide

June 14, 2005
This is a beginners primer / guide to using SUDO.

What is SUDO ?


SUDO is a tool that allows an administrator to delegate authority, to give select users (or group) the ability to run some or all the commands as root or another user.

SUDO is not a shell. It operates on a per-command basis.

Sudoers File


Who gets to use SUDO, and which commands can be run by those users is controlled by the /etc/sudoers file.

visudo is the command used to make changes to the file /etc/sudoers.

You should edit /etc/sudoers only using the visudo command. Do not edit the file directly.


/etc/sudoers file syntax


The /etc/sudoers file is composed of two entries. They are -

  1. Aliases - These are variables; and
  2. User specifications - These decide who is allowed to run what.

Aliases


There are 4 kinds of Aliases (variables). They are User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias.

Here is an example of User_Alias definition.

User_Alias ADMINS = ravi, anand

User_Alias is very rarely used as you can use regular groups in this file. Just use %groupname.


Host_Alias assigns computers to variables. The variables accept host names or ip address of the machines. Here is an example of the Host_Alias usage.

Host_Alias   FILESERVERS = fs1, fs2, 192.168.0.1

Cmnd_Alias are group of related commands. For example, you can bunch together useful networking tools into a command alias as follows.

## Networking
Cmnd_Alias   NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Updating the locate database
Cmnd_Alias   LOCATE = /usr/bin/updatedb

There is no limit to the number of variables you can define using Cmd_Alias. And it need not be NETWORKING or LOCATE. You can give any useful name.


Once you have defined all the variables using the Aliases feature, you have to provide the user specifications.

User Specifications


Defining the user specifications is the most important part of the /etc/sudoers file. It defines which users can run what software on which machines.

The syntax for user specification is as follows.

user  MACHINE=COMMANDS

There is no space on either side of the '=' symbol in the above syntax.


The following are a few examples of user specification rules in the /etc/sudoers file.

## Allow root to run any commands anywhere.
root    ALL=(ALL)   ALL

## Allow people in the wheel group to run all the commands
## without a password.
%wheel   ALL=(ALL)   NOPASSWD: ALL

By default SUDO requires that a user authenticate him or herself before running a command. This behaviour can be modified via the NOPASSWD tag as shown in the example above. Alternately, you can use the PASSWD tag to reverse the situation.


## Allow members of the users group to shutdown this system.
%users   localhost=/sbin/shutdown -h now

Predefined Tags used in the /etc/sudoers file


PASSWD - Used to indicate the user needs to enter his password to run the command.

NOPASSWD - User need not enter his password to run the command.

EXEC and NOEXEC - Allow / prevent a dynamically-linked executable from running further commands itself.

SETENV and NOSETENV - The user is allowed to enable or disable the env_reset option from the command line via the -E option.

LOG_INPUT and NOLOG_INPUT - These tags override the value of the log_input option on a per-command basis.

LOG_OUTPUT and NOLOG_OUTPUT - These tags override the value of the log_output option on a per-command basis.

You can use wildcards when defining host names, path names and command line arguments in the /etc/sudoers file.


Features of SUDO


The following are the main features of SUDO.

  • To run any command using SUDO, prepend a sudo to your command.
  • You don't need to know the root's password to run SUDO. It prompts for your password.
  • Manages an extensive Logging/Audit Trail. Each command executed by the user using SUDO is logged.
  • Caches your password. The default time of caching is 5 minutes.
  • Can use NOPASSWD tag for accounts used for batch processes.
  • Handy way to give users controlled access for stuff they need without giving them the root password.

For more details in using SUDO, refer its manpage.

0 comments: