What is SUDO ?
SUDO is a tool that allows an administrator to delegate authority, to give select users (or group) the ability to run some or all the commands as root or another user.
SUDO is not a shell. It operates on a per-command basis.
Sudoers File
Who gets to use SUDO, and which commands can be run by those users is controlled by the
/etc/sudoers
file.visudo
is the command used to make changes to the file /etc/sudoers
.You should edit /etc/sudoers
only using the visudo
command. Do not edit the file directly.
/etc/sudoers file syntax
The
/etc/sudoers
file is composed of two entries. They are -- Aliases - These are variables; and
- User specifications - These decide who is allowed to run what.
Aliases
There are 4 kinds of Aliases (variables). They are
User_Alias
, Runas_Alias
, Host_Alias
and Cmnd_Alias
.Here is an example of User_Alias definition.
User_Alias ADMINS = ravi, anand
User_Alias
is very rarely used as you can use regular groups in this file. Just use %groupname
.
Host_Alias
assigns computers to variables. The variables accept host names or ip address of the machines. Here is an example of the Host_Alias usage.Host_Alias FILESERVERS = fs1, fs2, 192.168.0.1
Cmnd_Alias
are group of related commands. For example, you can bunch together useful networking tools into a command alias as follows.## Networking Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Updating the locate database Cmnd_Alias LOCATE = /usr/bin/updatedb
There is no limit to the number of variables you can define using Cmd_Alias
. And it need not be NETWORKING or LOCATE. You can give any useful name.
Once you have defined all the variables using the Aliases feature, you have to provide the user specifications.
User Specifications
Defining the user specifications is the most important part of the
/etc/sudoers
file. It defines which users can run what software on which machines.The syntax for user specification is as follows.
user MACHINE=COMMANDS
There is no space on either side of the '=' symbol in the above syntax.
The following are a few examples of user specification rules in the
/etc/sudoers
file.## Allow root to run any commands anywhere. root ALL=(ALL) ALL
## Allow people in the wheel group to run all the commands ## without a password. %wheel ALL=(ALL) NOPASSWD: ALL
By default SUDO requires that a user authenticate him or herself before running a command. This behaviour can be modified via the NOPASSWD
tag as shown in the example above. Alternately, you can use the PASSWD
tag to reverse the situation.
## Allow members of the users group to shutdown this system. %users localhost=/sbin/shutdown -h now
Predefined Tags used in the /etc/sudoers file
PASSWD
- Used to indicate the user needs to enter his password to run the command.NOPASSWD
- User need not enter his password to run the command.EXEC
and NOEXEC
- Allow / prevent a dynamically-linked executable from running further commands itself.SETENV
and NOSETENV
- The user is allowed to enable or disable the env_reset
option from the command line via the -E
option.LOG_INPUT
and NOLOG_INPUT
- These tags override the value of the log_input option on a per-command basis.LOG_OUTPUT
and NOLOG_OUTPUT
- These tags override the value of the log_output option on a per-command basis.You can use wildcards when defining host names, path names and command line arguments in the /etc/sudoers
file.
Features of SUDO
The following are the main features of SUDO.
- To run any command using SUDO, prepend a
sudo
to your command. - You don't need to know the root's password to run SUDO. It prompts for your password.
- Manages an extensive Logging/Audit Trail. Each command executed by the user using SUDO is logged.
- Caches your password. The default time of caching is 5 minutes.
- Can use
NOPASSWD
tag for accounts used for batch processes. - Handy way to give users controlled access for stuff they need without giving them the root password.
For more details in using SUDO, refer its manpage.
0 comments:
Post a Comment